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Preface 


The protection of sensitive information against unauthorized access or fraudulent changes has been of 
prime concern throughout the centuries. Modern communication techniques, using computers connected 
through networks, make all data even more vulnerable for these threats. Also, new issues have come up 
that were not relevant before, e.g. how to add a (digital) signature to an electronic document in such a way 
that the signer can not deny later on that the document was signed by him/her. 


Cryptology addresses the above issues. It is at the foundation of all information security. The techniques 
employed to this end have become increasingly mathematical of nature. This book serves as an 
introduction to modern cryptographic methods. After a brief survey of classical cryptosystems, it 
concentrates on three main areas. First of all, stream ciphers and block ciphers are discussed. These 
systems have extremely fast implementations, but sender and receiver have to share a secret key. Public 
key cryptosystems (the second main area) make it possible to protect data without a prearranged key. Their 
security is based on intractable mathematical problems, like the factorization of large numbers. The 
remaining chapters cover a variety of topics, such as zero-knowledge proofs, secret sharing schemes and 
authentication codes. Two appendices explain all mathematical prerequisites in great detail. One is on 
elementary number theory (Euclid's Algorithm, the Chinese Remainder Theorem, quadratic residues, 
inversion formulas, and continued fractions). The other appendix gives a thorough introduction to finite 
fields and their algebraic structure. 


This book differs from its 1988 version in two ways. That a lot of new material has been added is to be 

expected in a field that is developing so fast. Apart from a revision of the existing material, there are many 
new or greatly expanded sections, an entirely new chapter on elliptic curves and also one on authentication 
codes. The second difference is even more significant. The whole manuscript is electronically available as 

an interactive Mathematica manuscript. So, there are hyperlinks to other places in the text, but more 
importantly, it is now possible to work out non-trivial examples. Even a non-expert can easily alter the 
parameters in the examples and try out new ones. It is our experience, based on teaching at the California 
Institute of Technology and the Eindhoven University of Technology, that most students truly enjoy the 

enormous possibilities of a computer algebra notebook. Throughout the book, it has been our intention to 
make all Mathematica statements as transparent as possible, sometimes sacrificing elegant or smart 
alternatives that are too dependent on this particular computer algebra package. 


There are several people that have played a crucial role in the preparation of this manuscript. In 
alphabetical order of first name, I would like to thank Fred Simons for showing me the full 
potential of Mathematica for educational purposes and for enhancing many the Mathematica 
commands, Gavin Horn for the many typo's that he has found as well as his compilation of 
solutions, Lilian Porter for her feedback on my use of English, and Wil Kortsmit for his help in 
getting the manuscript camera-ready and for solving many of my Mathematica questions. I also 
owe great debt to the following people who helped me with their feedback on various chapters: 


Xiv 


Berry Schoenmakers, Bram van Asch, Eric Verheul, Frans Willems, Mariska Sas, and Martin van 
Dik. 

Henk van Tilborg 

Dept. of Mathematics and Computing Science 

Eindhoven University of Technology 

P.O.Box 513 

5600 MB Eindhoven 

the Netherlands 

email: henkvt@ win.tue.nl. 


1 Introduction 


1.1 Introduction and Terminology 


Cryptology, the study of cryptosystems, can be subdivided into two disciplines. Cryptography 
concerns itself with the design of cryptosystems, while cryptanalysis studies the breaking of 
cryptosystems. These two aspects are closely related; when setting up a cryptosystem the analysis 
of its security plays an important role. At this time we will not give a formal definition of a 
cryptosystem, as that will come later in this chapter. We assume that the reader has the right 
intuitive idea of what a cryptosystem is. 


Why would anybody use a cryptosystem? There are several possibilities: 


Confidentiality: When transmitting data, one does not want an eavesdropper to understand the 
contents of the transmitted messages. The same is true for stored data that should be protected 
against unauthorized access, for instance by hackers. 


Authentication: This property is the equivalent of a signature. The receiver of a message wants 
proof that a message comes from a certain party and not from somebody else (even if the original 
party later wants to deny it). 


Integrity: This means that the receiver of certain data has evidence that no changes have been 
made by a third party. 


Throughout the centuries (see [Kahn67]) cryptosystems have been used by the military and by the 
diplomatic services. The nowadays widespread use of computer controlled communication 
systems in industry or by civil services, often asks for special protection of the data by means of 
cryptographic techniques. 


Since the storage, and later recovery, of data can be viewed as transmission of this data in the time 
domain, we shall always use the term transmission when discussing a situation when data is stored 
and/or transmitted. 
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1.2 Shannon's Description of a Conventional Cryptosystem 


Chapters 2, 3, and 4 discuss several so-called conventional cryptosystems. The formal definition of 
a conventional cryptosystem as well as the mathematical foundation of the underlying theory is 
due to C.E. Shannon [Shan49]. In Figure 1.1, the general outline of a conventional cryptosystem is 
depicted. 


In the next section we shall elaborate on concepts like language and text. This will provide a 
cryptanalist with useful models when describing the output of the sender in the scheme. 





The conventional cryptosystem 


Secure Channel 


Figure 1.1 


Let A be a finite set, which we will call alphabet. With |\Alwe denote the cardinality of A.We 
shall often use Z, = {0, 1, ..., ¢g— 1} as alphabet, where we work with its elements modulo g (see 
the beginning of Subsection A.3.1 and Section B.2. The alphabet 226 can be identified with the set 
{a, b, ..., z}. In most modern applications qg will often be 2 or a power of 2. 


A concatenation of n letters from A will be called an n-gram and denoted by 
a= (do, @)_..-, Qn-1). Special cases are bi-grams (n = 2) and tri-grams (n = 3). The set of all n- 
grams from A will be denoted by A”. 


A text is an element from A*=U,.9A". A language is a subset of A*. In the case of 
programming languages this subset is precisely defined by means of recursion rules. In the case of 
spoken languages these rules are very loose. 


Let A and 8 be two finite alphabets. Any one-to-one mapping FE of A* to B* is called a 
cryptographic transformation. In most practical situations LAI will be equal to ISl. Also often the 
cryptographic transformation F will map n-grams into n-grams (to avoid data expansion during the 
encryption process). 
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Let m be the message (a text from A*) that Alice in Figure 1.1 wants to transmit in secrecy to Bob. 
It is usually called the plaintext. Alice will first transform the plaintext into ¢ = E(m), the so-called 
ciphertext. It will be the ciphertext that she will transmit to Bob. 


Definition 1.] 
| A Syeenetric (or comventional) crvplosystem © is a set of on ptographic transformations 
| E€=(F, |) k ek}. 


The index set ‘Ais called the key spece, and its elements k keys. 


Since £; is a one-to-one mapping, its inverse must exist. We shall denote it with D,. Of course, the 
E stands for encryption (or enciphering) and the D for decryption (or deciphering). One has 


D, CE, (m)) = m, for all plaintexts m € A*and keysk € K. 


If Alice wants to send the plaintext m to Bob by means of the cryptographic transformation E;,, 
both Alice and Bob must know the particular choice of the key k. They will have agreed on the 
value of k by means of a so-called secure channel. This channel could be a courier, but it could 
also be that Alice and Bob have, beforehand, agreed on the choice of k. 


Bob can decipher c by computing 
Dy (€) = Dy (Ex (m)) = m. 


Normally, the same cryptosystem € will be used for a long time and by many people, so it is 
reasonable to assume that this set of cryptographic transformations € is also known to the 
cryptanalist. It is the frequent changing of the key that has to provide the security of the data. This 
principle was already clearly stated by the Dutchman Auguste Kerckhoff (see [Kahn67]) in the 19- 
th century. 


The cryptanalist (Eve) who is connected to the transmission line can be: 


= passive (eavesdropping): The cryptanalist tries to find m (or even better k) from c (and whatever 
further knowledge he has). By determining k more ciphertexts may be broken. 


" active (tampering): The cryptanalist tries to actively manipulate the data that are being 
transmitted. For instance, he transmits his own ciphertext, retransmits old ciphertext, substitutes 
his own texts for transmitted ciphertexts, etc.. 


In general, one discerns three levels of cryptanalysis: 


" Ciphertext only attack: Only a piece of ciphertext is known to the cryptanalist (and often the 
context of the message). 


" Known plaintext attack: A piece of ciphertext with corresponding plaintext is known. If a system 
is secure against this kind of attack the legitimate receiver does not have to destroy deciphered 
messages. 
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" Chosen plaintext attack: The cryptanalist can choose any piece of plaintext and generate the 
corresponding ciphertext. The public-key cryptosystems that we shall discuss in Chapters 7-12 
have to be secure against this kind of attack. 


This concludes our general description of the conventional cryptosystem as depicted in Figure 1.1. 


1.3 Statistical Description of a Plaintext Source 


In cryptology, especially when one wants to break a particular cryptosystem, a probabilistic 
approach to describe a language is often already a powerful tool, as we shall see in Section 2.2. 


The person Alice in Figure 1.1 stands for a finite or infinite plaintext source © of text, that was 
called plaintext, from an alphabet A, e.g. Z,. It can be described as a finite resp. infinite sequence 
of random variables M;, so by sequences 


Mo, M,,..., Mn-; — for some fixed value of n, 
resp. 
Mo, M;. Mo, ..., 


each described by probabilities that events occur. So, for each letter combination (r-gram) 
(Mo, m1, ...,m,-;) over A and each starting point j the probability 


Protain(M ; = mo, M j+1 = M15 weoy M jart = m,-}) 


is well defined. In the case that 7 = 0, we shall simply write Prplain@to, m7, -.., “tr-1). Of course, 
the probabilities that describe the plaintext source §& should satisfy the standard statistical 
properties, that we shall mention below but on which we shall not elaborate. 


1) Protain(to, 1, ..., mp1) 2 O for all texts (mo, my, ..., my-i). 
1) Liump,my,...,mp_y) P¥plain@Mo, 1, -..5 My) = 1. 
111) Lu(Mps Mpa} se... mp1) Pt plain M0, Wg sees m1) = Prpjain(™Mo, PII} 5 csey M,-1), for all / > r. 


The third property is called Kolmogorov's consistency condition. 


Example 1.1 


The plaintext source €& (Alice in Figure 1.1) generates individual letters (1-grams) from {a, b, ..., z} with 
an independent but identical distribution, say p(a), p(b), ..., pz). SO, 


Prpiain(™mo, M4 «665 Mn-)) = pmo) p(m,) sly pUmn-1), n= 1. 


The distribution of the letters of the alphabet in normal English texts is given in Table 1.1 (see 
Table 12-1 in [MeyM82]). In this model one has that 


Prpiain(run) = p(r) p(u) p(n) = 0.0612 x 0.0271 x 0.0709 = 1.18 107%. 
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Note that in this model also Prpigin(nru) = p(n) p(r) p(u), etc., so, unlike in a regular English texts, 
all permutations ofthe three letters r, u, andn are equally likely in & 


a 0.0804 h 0.0549 o 0.0760 v 0.0099 
b 0.0154 i 0.0726 p 0.0200 w 0.0192 
c 0.0306 j 0.0016 q 0.0011 x 0.0019 
dad 0.0399 k 0.0067 xr 0.0612 y 0.0173 
e 0.1251 1 0.0414 s 0.0654 z 90.0009 
£ 0.0230 m 0.0253 t 0.0925 
g 0.0196 n 0.0709 u 0.0271 
Probability distributions of I-grams in English. 
Table 1.1 
Example 1.2 
& generates 2-grams over the alphabet {a, b, , ..., 2} with an independent but identical distribution, say 


p(s, t), with s, t & {a, b, ..., z}. So, forn 21 
PYplain(?0, 711, -»-5 M2n-1) = plo m) p(m2, m3) --+ plm2n-2 M2 n-1). 


The distribution of 2-grams in English texts can be found in the literature (see Table 2.3.4 in 
[Konh&1]]). 


Of course, one can continue like this with tables of the distribution of 3-grams or more. A different 
and more appealing approach is given in the following example. 
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a Ee c it | = E rr | h i i ie 1 m 
@ 0.0011 0.0193 0.0386 0.0069 0.002 0.01 0.0233 0.002 0.088 0.002 6.0103 60,1052 9.0281 
bO,0931 0.0057 0.0016 0.0008 0.3219 oO C a 0.0605 0.0087 oO D.1242 0.0049 
= 0.1202 0 0.0196 0.0000 0.1707 oO o 0.1277 0.0761 6 0.0324 0.0369 0.0015 
20.1044 0.002 0.0026 0.0218 0.3778 0.0007 0.0132 0.0007 6.18035 0.0033 oO 0.0125 0.0176 
@# 0.066 0.0036 0.0033 0.1194 0.0458 0.0142 0.0125 0.0021 0.0158 0.0005 0.0036 0.0456 0.034 
F 0.0838 6 LH) a 0.12835 0.0924 0 i) 0.1608 0 0 0.0299 0.0005 
gq 0.1078 0 i) 0.0018 0.2354 0 0.0177 9.1281 0.0839 Oo 0 0.0203 0.0027 
h 0.1765 06.0005 0.0014 0.0008 0.5623 6 ot 2.0905 0.1167 0 0 0.0016 6.0016 
10.038 0.0082 0.0767 0.0459 0.0437 0.0129 0.028 0.0002 0.0016 Oo 0.605 60.0567 0.0297 
J 0.1253 0 p a 0.1918 © 0 a 0.035 oO O it a 
k 0.0295 0.0026 6 0.0028 0.5282 0.0026 0 0.0198 0.1582 6 0.6113 0.0798 0.0028 
1 0.1342 0.0019 0.0022 0.0736 0.1913 0.0105 0.0108 0 0.1521 6 6.0079 0.1413 0.0082 
m 0.1822 0.0337 0.0026 0 0.23975 0.001 a 0.1345 6G O 0,001 0.0654 
mO.055 0.0004 0.0621 0.1681 0.1212 0.0102 0.1991 0.90145 0.0665 6.0009 0.0066 0.0073 0.0104 
© 0.0085 0.0101 0.0162 0.02391 0.0037 0.1299 O.0082 0.0025 0.0092 0.0014 0.0078 0.0416 0.0706 
P O.2359 0 0.0006 4 O.i7d? OG a 0.0237 0.0423 0 O 0.0812 0.0073 
q o ? 0 a 0 0 Li a O O o a a 
fr 0.1026 0.0039 0.0172 0.0282 0.2795 0.0031 0.0175 0.0017 6.1181 oO 0.0205 0.0164 0.0303 
5 0.0604 0.0012 00,0284 0.0027 G.1795 0.00274 4 0.0561 O.L177T 0 2.0091 0.0145 0.0112 
t 0.0619 0.0003 0.0036 0.0002 0.1417 6.0007 0.0002 0.3512 0.1406 0 O 0.0101 0.0044 
u 0.0344 0.0018 0.0491 0.0243 0.0434 0.0052 0.903982 0.001 0.0258 0 0.0014 0.1097 0.0325 
w 0.0749 0 a 0.0023 0.6014 6 a 0 0.2569 0 0 a o.0012 
w 0.2291 0.0008 0 0.0032 0.1942 0 a 0.1422 0.2104 0 O 0.0001 0 
x 0.0672 0 0.1119 @ 0.1269 © a 0.0075 0.1115 o O a 0.0075 
¥ 0.0566 0.0034 0.0103 0.0069 0.2897 a a 0.069 6 0.0034 0.0172 0.0379 
= 0.2278 0 a a 0.a557 6 a a 0.2152 6 i] 0.0127 0 

Th o F 7 r & t i ¥ iw a ¥ z 
a O.L87E 0,0008 0.0222 0 O.1Le 8.1001 9.1574 O.0137 G.0212 0.0057 0.0026 0.0312 0.0023 
B 0 7.0964 9 0 0.0662 0.0229 0.0049 O.0727 0.0016 0 a 0.1168 oO 
© 0.0011 0.22683 0 0.0004 0.0026 0.0087 0.0893 0.0347 OG o a o.d994 0 
40,0053 90,0733 9 0.0007 0.032¢ 0.0095 0.00135 0.0601 6.0099 0.000 0.0264 0 
# 0.1381 0.004 0.0192 0.0034 0.1927 0.1291 0.0000 0.00408 0.0215 0.0208 0.0152 0.0121 6.0004 
fF 0.0009 0.2789 0 Le 0.12715 0.0026 0.04596 0.0462 6 o a 0.0043 0 
gO0.0451 0.114 @ O 0.1325 0.0256 0.0247 0.0512 0 0 a 0.0053 0 
h 6.0038 06,0786 0 0 0.0153 6.0027 0.0233 0.0085 0 0.0011 0 0.0001 0 
1 0.2996 0.0893 0.01 O.0008 0.0342 0.1194 0.1135 0.0011 0.025 4 07.0023 0.0002 0.00795 
74 0.3147 9 0 0.007 0 a 0.33557 O a a o o 
Kk O.0565 0.0198 0 0 0.0085 0.1102 0.0028 0.0028 0 a a 0.0113 6 
1 0.0004 0.0778 0.0041 D0 0.0034 0.0389 0.0254 0.0269 0.0056 0.0011 4 0.0819 oO 
mO.00402 0.1246 0.0722 0 0.0026 0.0200 0.0005 0.0337 6.0005 4 a 0.0192 oO 
no O0.019¢ 0.0528 0.000€@ 0.0007 0.0011 0.0751 0.1641 0.0124 0.0068 0.0018 0.0002 0.0157 0.0004 
00.219 0.0222 0.0252 0 0.153 0.03957 0.0396 0.0947 0.0334 90,0345 0.0012 0.0041 0.0004 
P O.0006 0.1511 06.0581 0 0.23906 0.018 6.0287 6.0457 6 a 0 0.0017 oO 
qg 4 i) i) 0 0 q oO 1 Li] q | i) F) 
© 0.0328 0.1114 6.0055 0 0.0212 0.90655 0.0596 0.0192 0.0142 9.0017 0.0002 0.0306 0 
s 0.0021 0.0706 0.0386 0.0009 0.0027 0.908936 0.2483 0.0579 0 0.0039 0 0.0081 6 
E 0.0015 0.1229 0.0003 D0 0.0479 0.0418 0.0213 6.0195 0.0005 0.0088 0 0.0203 6.0008 
u 9.1517 0.0019 00,0386 0 0.146 O.1221 0.1255 0.0029 0.0014 0 0.001 6.0014 6.0005 
¥ a 0.053 0 0 a 0.0025 0 0.6012 0.0012 0 0 0.0058 6 
w 0.0357 0.1292 0 0 0.0106 0.0366 0.0016 O a a oO 6.0024 0 
x 0.0075 0.3507 0 a 0 0.1714 6 a a 0.0373 @ 0 
y 0.0172 0.2207 0.031 oO 0.031 6.15917 06.0172 6.0136 4 0.01903 @ 0.0069 0.0034 
z4 0.0506 6 0 a q 0 0.0127 9g q a] ) 0.0253 


Transition probabilities pir|s), row s, column f, in English. 
Table 1.3 


Example 1.3 


In this model, the plaintext source © generates 1-grams by means of a Markov process. This process can 
be described by a transition matrix P = (p(t|s)),, which gives the probability that a letter s in the text is 
followed by the letter t. Itfollows from the theory of Markov processes that P has I as an eigenvalue. Let 
P= (pla), pd), ..., p(z)), be the corresponding eigenvector (it is called the equilibrium distribution of the 


process). 


Assuming that the process is already in its equilibrium state at the beginning, one has 
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PYptain(?0, 21, -+-5 Mn-1) = Plmo) pm] | mo) plz | m1) +++ PUMy-1 | Mp2). 


Let p and P. be given by Table 1.2 and Table 1.3 from [Konh&1] (here they are denoted by "ed" 


resp. "TrPr"). Then, one obtains the following, more realistic probabilities of occurrence: 
Prptain(run) = p(r) p(u|r) p(n|u) = 0.0751x 0.0192 x 0.1517 = 2.19 10-4, 
Projain(urn) = p(u) p(r| wu) p(n |r) = 0.0272x 0.1460 x 0.0325 = 1.29 Ke 
Prpiain(nru) = p(n) p(r|n) p(u| r) = 0.0814x 0.0011 x 0.0192 ~ 1.72 10°°, 


By means of the Mathematica functions StringTake, ToCharacterCode. and 
StringLength, these probabilities can be computed in the following way (first enter the input 
Table 1.2 and Table 1.3, by executing all initialization cells) 


sourcetext = "run"; 
| ed [StringTake|[sourcetext, {1}]]* 
| StringLength[sourcetext]-1 
| 





TrPr[[ 
| ial 
| ToCharacterctode[ 
StringTake[sourcetext, {i}]] - 96, 
ToCharacterCode([StringTake[sourcetext, {1 +1}]] - 96]] 


ie FEE 


— 


{(0.000218448}} 


Better approximations of a language can be made, by considering transition probabilities that 
depend on more than one letter in the past. 


Note, that in the three examples above, the models are all stationary, which means that 
Propjain(M j = mo, Mji1 =m, .... Mjsn-1 = my_1) is independent of the value of j. In the middle of 
a regular text one may expect this property to hold, but in other situations this is not the case. 
Think for instance of the date at the beginning of a letter. 


1.4 Problems 


Problem 1.1 

What is the probability that the text "apple" occurs, when the plaintext source generates independent, 
identically distributed 1-grams, as described in Example 1.1. 

Answer the same question when the Markov model of Example 1.3 is used? 


Problem 1.2” 

Use the Mathematica function Permutations and the input formula at the end of Section 1.3 to 
determine for each of the 24 orderings of the four letters e, h, 1, p the probability that it occurs in a 
language generated by the Markov model of Example 1.3. 
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2 Classical Cryptosystems 


2.1 Caesar, Simple Substitution, Vigenere 


In this chapter we shall discuss a number of classical cryptosystems. For further reading we refer 
the interested reader to ([BekP82], [Denn82], [Kahn67], [Konh81], or [MeyM82]). 


2.1.1 Caesar Cipher 


One of the oldest cryptosystems is due to Julius Caesar. It shifts each letter in the text cyclicly over 
k places. So, with k =7 one gets the following encryption of the word cleopatra (note that the 
letter z 1s mapped to a): 


] 1 ] ] . ] : 1, 
cleopatra —> dmfpqbusb —> engarcvtc —> fohrsdwud —> gpistexve —> hqjtufywf —> irkuvgzxg 
|, 
— jslvwhayh 
By using the Mathematica functions ToCharacterCode and FromCharacterCode, which 


convert symbols to their ASCI code and back (letter a has value 97, letter b has value 98, etc.), the 
Caesar cipher can be executed by the following function: 





rly ae ha ee rakere Net wih ae Eu ee ee 





Laky: jjexrepq ay eas meee ci Daa ae ae 


NS can abe et et 9 ct 
In the terminology of Section 1.2, the Caesar cipher is defined over the alphabet {0, 1, ..., 25} by: 
Ex (m) = ((m+k)mod26), 0<m<26, 


and 
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C=. 422 | Vek < 26) 4 


where (imodn) denotes the unique integer j satisfying 7 =i({modn) and 0 < j<n. In this case, 
the key space K is the set {0, 1, ..., 25} and Dy = Eg_1-x. 


An easy way to break the system is to try out all possible keys. This method 1s called exhaustive 
key search. In Table 2.1 one can find the cryptanalysis of the ciphertext "xyuysuyifvyxi". 


OO A AP Se a a a OR 
Wx te ae ee te a oo OR 
vw s wqswgadqtewoivg 
uv & wp ae. £ ae Ss. vw a = 
tugqguogqueobrute 


Cryptanalysis of the Caesar cipher 
Table 2.1 


To decrypt the ciphertext yhaklwpnw., one can easily check all keys with the caesar function 
defined above. 





{xgzikvomy, wfyijunlu, vexhitmkt, udwghsljs, tcvfgrkir, sbuefqijhq, 
ratdepigp, qzscdohfo, pyrbcngen, oxqabmfdm, nwpzalecl, 
myroyzkdbk, lunxyjcaj, ktmwxibzi, jslvwhayh, irkuvgzxg, 
hqjtufywt, gpistexve, fohrsdwud, enggrcvtc, dmfpgbusb, | 
cleopatra, bkdnozsqz, ajcmnyrpy, ziblmxqox, yhaklwpnw} 


2.1.2 Simple Substitution 


c The System and its Main Weakness 


With the method of a simple substitution one chooses a fixed permutation z of the alphabet 
{a, b, ..., z} and applies that to all letters in the plaintext. 


Example 2.1 


In the following example we only give that part of the substitution .7 that is relevantfor the given plaintext. 
We use the Mathematicafunction StringReplace. 
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| 
| StringReplace|["plaintext", 
| {"a"™ —> "kk", Ae" —> "ec". Le Me => "bh", al" —> oF shall 

a7n= => "a". lt * = av", at > a", Hap = ra"}] 


Vrkbaqzag 


A more formal description of the simple substitution system is as follows: the key space ‘Kis the 
set S, of all permutations of {0, 1, ..., g— 1} and the cryptosystem € is given by 


G= {E, | Te Sq}, 
where 
E,(m) =n (m), Osm<q. 
The decryption function D, is given by Dy = E,-1, as follows from 
Dx (Ex (m)) = D(x (m)) = E,1 (mw (m)) =" (a (m)) =m, Osm<gq. 


Unlike Caesar's cipher, this system does not have the drawback of a small key space. Indeed, 

|| = (| Sop | = 26! 4.03 102°, This system however does demonstrate very well that a large 
key space should not fool one into believing that a system is secure! On the contrary, by simply 
counting the letter frequencies in the ciphertexts and comparing these with the letter frequencies in 

Table 1.1, one very quickly finds the images under zof the most frequent letters in the plaintext. 

Indeed, the most frequent letter in the ciphertext will very likely be the image under 7 of the letter 
e. The next one is the image of the letter n, etc. After having found the encryptions of the most 
frequent letters in the plaintext, it is not difficult to fill in the rest. Of course, the longer the cipher 
text, the easier the cryptanalysis becomes. In Chapter 5, we come back to the cryptanalysis of the 
system, in particular how long the same key can be used safely. 


QO Cryptanalysis by The Method of a Probable Word 


In the following example we have knowledge of a very long ciphertext. This is not necessary at all 
for the cryptanalysis of the ciphertext, but it takes that long to know the full key. Indeed, as long as 
two letters are missing in the plaintext, one does not know the full key, but the system is of course 
broken much earlier than that. 


Apart from the ciphertext, given in Table 2.2, we shall assume in this example that the plaintext 
discusses the concept of "bidirectional communication theory". Cryptanalysis will turn out to be 
very easy. 


12 
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ndize hicle osiol digic Il1mhzq zolyi zehdp zhjeo ndize 
hlpvs uczyc dhzhj eondi zehge moylk zhjpm lhylg gidiz 
ppsdo lylzr losye nnmhz ydize hicle osceu lrloq Ilgyoz 
Ineol flhlo dpydg lzhuc zyciu eeone olzhj eondi zehge 
zhjpm lhyll dycei clogi dizgi zydpp siclq zolyi zehe3j 
hjpml hylzg lkaol gglqv sqzol yilqi odhgj eondi zehxm 
zlguc zycyd hehps vlqlo zrlqz jiclp duejy dmgdp ziszg 
rlqqz gizhf mzgcz hficl ldopz loydm gljoe niclp dilol 
zhvze pefsd hqgey zepef syenn mhzyd izehi cleos glling 
luzql daapz ydize hgqml ieicl jdyii cdipz rzhfv Ilzhfg 
iclzo dyize hggem oylge jzhje ondiz ehucz yezhj pmlhy 
eiclo zhdpp aeggz vplqz olyiz ehgic laolg lhiad aloql 
gicly dglej vzqzo lyize hdpye nnmhz ydize hicle osdaa 
eiclg eyzdp vicdr zemoe jneht lsg.. 


Ciphertext obtained with a simple substitution 
Table 2.2 
Assuming that the word "communication" will occur in the plaintext, we look for strings of 13 


consecutive letters, in which letter 1 = letter 8, letter 2 = letter 12, letter 3 = letter 4, letter 6 = letter 
13 and letter 7 = letter 11. 


Indeed, we find the string "yennmhzydizeh" three times in the ciphertext. This gives the following 
information about z. 


commun 
2 


iat 
did 
yenmhzzd 


i 
Assuming that the word "direction" does also occur in the plaintext, we need to look for strings of 


the form "*z**yizeh" in the ciphertext, because of the information that we already have on z. It 
turns out that "qzolyizeh" appears four times, giving: 


dre 
$b 
gol 


If we substitute all this information in the ciphertext one easily obtains a completely. For instance, 
the text begins like 


in*ormationt*eor*treat*t*eunid..., 
which obviously comes from 

information theory treats the unid(irectional) 
This gives the z-image of the letters fh, y and s..., 


Continuing like this, one readily obtains a completely. 
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a Dp @¢- dite. £ iG fhe a an ae CO OP oe ur eS Ea a woe oe 

J + bv bv vv bb bb vt bP ab bb bY eb Lb db LL Lv 

dvyaqailjfcqezwtpenhieaxogeimruéik s b 
Example 2.2 


Mathematica makes is quite easy to find a substring with a certain pattern. For instance, to test where in a 
text one canfind a substring of length 6 with letters 1 and 4 equal and also letters 2 and 5 (as in the Latin 
word "quoque"), one can use the Mathematica functions If. StringTake, StringLength, Do 





Print and the following: 
| eiphertext = "xyuysuylfvyxi"; 
Lf (StringTake[ciphertext, {1+1}] == StringTake([ciphertext, 
{i +4}] AStringTake[ciphertext, {i+2)}] == 
StringTake(ciphertext, {1+5)}], 
Print[i+i, * *, StringTake(ciphertext, {i+1, i1+6}]]], 


3 uysuyl 


This example was taken from Table 2.1. 


2.1.3. Vigenere Cryptosystem 


The Vigenére cryptosystem (named after the Frenchman B. de Vigenére who in 1586 wrote his 
Traicté des Chiffres, describing a more difficult version of this system) consists of r Caesar ciphers 
applied periodically. In the example below, the key is a word of length r = 7. The 7-th letter in the 
key defines the particular Caesar cipher that is used for the encryption of the letters 
i,itr, +27, ... in the plaintext. 


Example 2.3 


We identify {O, I, ..., 25} with {a, b, ..., z}. The so-called Vigenére Table (see Table 2.3) is a very helpful 
tool when encrypting or decrypting. With the key "michael" one gets the following encipherment: 


plaintext acryptosystemoftenisac 
key mi chaelmichaedlmiochaeéedlam 
Ciphertext m k t £f p x zweguaeqgqgezrpbgui)jwvlil£ o 
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jk lmnopeqgrstuvwxy z 


i 


0 abececdefgh 
l15pedeitd|giikhiiai 


7 k- lmnop @rs tt uvwx ¥ z< 2 


k lmnopgqgrstuvwx yzaipb 
jk lmnopgqgrstuvwxyz2abe 


ceda-eé@ f @ ht 4 
defog hi 
e £gqgohiai 5s kiwmhnopdgftse tuvw xy 2 ab eid 


2 
3 
4 


k lmnopqgrstuvwxyz2abede 

jk Llmnopeqg@rstiuvwxy2z2abedeif 
7k 1lMnRo pagers tuvywx yy ~@abpeider:rgs 

j k lmnopegqgrstuvwxyz2z2abececedeeféégh 
5 kK1LlMmManSe pgqgrstuyvywsx y z@abpedetghii.2 


Ss £ ¢@ ht 3 
6 gh 
7 


8 
9 


i 


s! 


h 
i 


5 


10 k lmouopegqgrstuvwxy2zabcedagefég hi 
11 i mnopegqgrstuvewxyz2abcedefghi 


k 


z 


k 


j 
k 1m 


k 1 mo 


t uvwxyzabcdefaoghi 


i2 mono p Gr s 
13 nopgqrs 


Vw x y z@abcedefghii j 


te. EL 


14 o p qrstuvwxy2z2abecedqeféghi 
IS padre tuwvrw* ¥v2aib<e« ae i t-.¢g h i 


j 


7 k 1 mono 


16 Gq rs t uvwxyvyvg2waope¢cdeitighijzk imao p 


17 rs t uvwxy2abedefé&=3ogoihi 


k lmnop, 
k lmnopaqer 


3 


Jj 


18 s t uvwxy2z2abcdqagefoagohi 


4be¢ede¢t£qh ii 


k¥ l1mnopgaqeyr£s 


j 


Z 


19 t uvwxiy 


$ k i mn © Dp Oo Yr & t 


3k lmnopgqgeyréeés 


22 wxy2z2abecedqdqgeefghijbkimno»pedqrstuv 


20 uvwx yz2abedefghi 


t ou 


41s wx y 2 a be dadeftgqih i 


22 8 ¥ @ ab <¢d<et ¢@ h «2 
24¥y2abedetft°ogh ii j 
2o 2a bp © ¢@d € £-qg nh i 


k lmnopgqgrstuVv w 


j 


ct u vw x 


Ss 


kK 1lsmno p @ sr 


k lmnopegqgrstuvwxiy 


j 


The Vigenére Table. 


Table 2.3 


Because of the redundancy in the English language one reduces the effective size of the key space 


tremendously by choosing an existing word as the key. Taking the name of a relative, as we have 


done above, reduces the security ofthe encryption more or less to zero. 


In Mathematica, addition of two letters as defined by the Vigenére Table can be realized in a 


similar way. as our earlier implementation of the Caesar cipher: 






| AddTwoLetters[a_, b_] : 


FromCharacterCode [Mod [ (ToCharacterCode[a] - 97) + 


=, 
on 
a 
o 
| 
n 
| 
a 
o 
3 
re 
i] 
+ 
- 
: 
r 
3 


} 
] 
1 
| 





By means of the Mathematica functions StringTake and StringLength, and the function 


AddTwoLetters, defined above, encryption with the Vigenére cryptosystem can be realized as 


follows: 
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pics Se uate: Oe LD er ane | Cee en CaaS eels Pe ree TOR ewe ts reo eee ob. he eae 
 denavvucemgfgolmlpsowsrgiocovirpsiv — Rite crane bapa ee 
A more formal description of the Vigenére cryptosystem is as follows 
E = {Elks kyr kpq) | (Kor Kis m=, Kr-1) € K = Z36} 
and 
Ekg ky sky) MO: I 6 TID. «sve ) = (co, Che€2s ceases ) 
with 
Cj = ((m; ~ kg mod rn) mod 26). (2.1) 


Instead of using r Caesar ciphers periodically in the Vigenére cryptosystem, one can of course also 
use r simple substitutions. Such a system is an example of a so-called polyalphabetic substitution. 
For centuries, no one had an effective way of breaking this system, mainly because one did not 
have a technique of determining the key length 7. Once one knows rf, one can find the r simple 
substitutions by grouping together the letters i,i+r, i+2r,...,for each i, O<i<yr,and break 
each of these r simple substitutions individually. In 1863, the Prussian army officer, F.W. Kasiski, 


solved the problem of finding the key length r by statistical means. In the next section, we shall 
discuss this method. 
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2.2 The Incidence of Coincidences, Kasiski's Method 


2.2.1 The Incidence of Coincidences 


Consider a ciphertext ¢ = cg, C), ..., C,-1 which is the result of a Vigenere encryption of an English 
plaintext m= mp, m), ..., m,-junder the key k = ko, kj, ..., k,a(see also (2.1)). As explained at 
the end of the previous section, the key to breaking the Vigenere system is to determine the key 
length r. 


In our analysis we are going to assume the very simple model of a plaintext source outputting 
independent, individual letters, each with probability distribution given by Table 1.1 (see Example 
1.1). We further assume that the letters k; in the key are chosen with independent and uniform 
distribution from {a, b, ..., z}(so, with probability 1/26). 


(7) 


Let ¢)-,and ol 


right the substrings ofc consisting of the 7 left most resp. right most symbols ofc, so: 


GQ) _ eo 
Cleft i CO; CI; oye Ci-] and Cri ght ~~ Cn-is Cn-j+ls seeg Cy-|- 


Let us now count the number of agreements between e\?.and er i.e. the number of coordinates j 
(¥) 
right 


divided by the string length i will be 0.06875 or 1/26 ~ 0.03846, depending on whether the 
(unknown) key length r divides n — i or does not divide n — i. 


where (cf!) j=ule ) We shall show in Lemma 2.1 that the expected value of this number 


Let us show by example how this difference in expected values can be used to determine the 
unknown key length r. 


Example 2.4 
In this example we consider the ciphertext 


"elrtnhklttbrxbxwnnhshjwkcjmsmrwnxqmvehuimnfxbzcwixbmhxghhclgcipcgimg 
ewcmwyejgbxbmlywimbkhhjwkcjmsmrwnxqmplceiwkcjmehtpslmmlxowmylxbxflxeebrahjwkcjm 
smrwnxqm". 


By means of the Mathematica functions StringTake, StringLength, Characters, and 


Table. we can easily compute the number of agreements between ej,and Croht in any range of 


values of i: 
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ciphertext = 
"ubsyvkmhvyrrtsbbcrdsndwrtshembufrmxgabnvmircewerucamly, 
zbrviwivvmlyzwapspyogsselechbgcubsvyczgrewrmhyexgooyv. 
cydspomtqtpyqkgbcmerucadlcaflreugjrbhcegesfcehuognds, 
torcdoymeqqwaglgovggsamdabbigztbbqyfwhxwmgfpowgztyeil. 
ocsarkgfahuovgtfogswruqnvpwivrampqqgsslatgrmqubsvyczrqra\ 
we jdeowqqroihqdspdibf fnxwgztbbqyfwbheus"; 
L= StringLength[ciphertext] ; 
Tabla[ N[ Count[ Characters[ StringTake| ciphertext, i]] - | 
Characters[ StringTake[ ciphertext, -i]], 0] /i, | 
1), {i, L-20, L-1} ] me 





(0.03, 0.04, 0.08, 0.02, 0.05, 0.04, 0.04, 0.03, 0.06, 0.07, 
0.06, 0.04, 0.02, 0.05, 0.08, 0.04, 0.05, 0.02, 0.01, 0.05) 


The (relative) higher values in this listing at places —6 and —18 indicate that the key length r is 6. 
Indeed, the key that has been used to generate this example is the word "monkey", which has 6 
letters. 


This can be checked with the following analogue of the Vigenére encryption of Example 2.3. 


SubTwoLettera[a_, b_] t= 
FromCharacterCode| 
Mod [ (ToCharacterCode[a] - 97) - (ToCharacterCode[b] - 97), 
26) +97] 
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aid 


ciphertext = 

zbrvfiwivvmlyzwapspyogsslechbgcubsavyczgrcwrmhvcxgooyv. 
cydspomt gfpyqkgbcmerucadlcaflreuqjrbhcegesfcehucgmds\ 
torcdoymeqqwaglgovggsemdabbigztbbqyfwhxwngfpowgztyeil\ 
osrkgfahuovgfogswruqnvpwivrnmpqqgsslatgrmqubsvyczqrs: 

| we jdeowqqroihgqdspdibf fnxwgztbbqyfwbxus"; 

key = "monkey"; 

plaintext = ""; 

Do [plaintext = plaintext <> 

SubTwoLettera(StringTake[ciphertext, {i}], 


StringTake/[ 
key, {Mod[i-1, StringLength[key]] +1}]], 
{i, 1, StringLength[ciphertext]}] 
plaintext 


informationtheorytreatstheunidirectionalikformationchannel bywhichanine 
ormationsourceinfluencesstatisticallyareceivercommunpcationtheoryhs 
weverdescribesthemoregeneralcaseinwhichtwoormoreinformationsourcest 
nfluenceeachotherstatisticallythedirectionoftthisinftluenceisexpresse 
dbydsrectedtransinformationqu 


Lemma 2.1 

Let ¢ be a ciphertext which is the result of a Vigenére encryption of a plaintext m of 
length mn with key & of length r. 

Suppose that at is generated by the plaintext source of Example 1.1. So, all the letters in 
m are generated dependently of each other, all with the frequency distribution pin) 
given by Table 1.1. Suppose further that the letters &; in the key are chosen with 
independent and uniform distribution from {a, 6, ..., 2} (so, with probability 1/26). 

Then, foreach ls i< jan, 


¥;,, plm)? = 0.06875, if rdivides j — i, 
1/26 = 0.03846, if rdoes not divide j —i. 


Pricj = cj] = 
Proof: 
If y—£ is divisible by r, then c; =c; if and only if m;=m,. This follows directly from formula 
(2.1), since mod r) equals (i mod r). So, 
Pri[c; = cj] = Prlm = m;| = Din Prim; = mj =m) = 


Dm Prim = m) Prim; = m] = >, pom? = 0.06875. 
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If 7-7 1s not divisible by r, then by (2.1) c; = c; if and only if mj + ktimoary) = My + K(jmoa ny. Since 
(jmodr) # (¢mod r), it follows that k(j moar takes on the value m; + kgmody — mj with probability 
1/26. We conclude that 


Pric; = c;] = 1/26 ~ 0.03846. 


It may be clear that with increasing length of the ciphertext, it is easier to determine the key length 
from the relative number of agreements between ¢)/,and Coe 


2.2.2  Kasiski's Method 


Kasiski based his cryptanalysis of the Vigenére cryptosystem on the fact that when a certain 
combination of letters (a frequent plaintext fragment) 1s encrypted more than once with the same 
segment of the key (because they occur at a multiple of the key length r), one will see a repetition 
of the corresponding ciphertext at those places. 


We quote an example from [Baue97]: 


Example 2.5 
Consider the following plaintext and ciphertext pair (where the key "comet" has been used): 


plaintext t h ereiosanotherféamoiu 
key Ge Or TS OR ee Ba. Wes 2 SS a oS SE SO ms 
Ciphertext v v qvx kgqgmrh_vvqgvyceeaaiy 


Koo 
Ka SD 
= O FP 


In the ciphertext one canfind the substring "vvqv" (of length 4) repeated twice, namely starting at 
positions I and I1. This indicates that r divides 10. The substring "mrh" (oflength 3) also occurs 
twice: at positions 8 and 23. So, it seems likely that r also divides 15. Combining these results, we 
conclude that r = 5, which is indeed the case. 


See [Baue97] for a further analysis of the Vigenére cryptosystem. 
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2.3 Vernam, Playfair, Transpositions, Hagelin, Enigma 


In this section, we shall briefly discuss a few more cryptosystems, without going deep into their 
structure. 


2.3.1 The One-Time Pad 


The one-time pad, also called the Vernam cipher (after the American A.T. & T. employee G.S. 
Vernam, who introduced the system in 1917), is a Vigenere cipher with key length equal to the 
length of the plaintext. Also, the key must be chosen in a completely random way and can only be 
used once. In this way the system is unconditionally secure, as is intuitively clear and will be 
proved in Chapter 5. The "hot line" between Washington and Moscow uses this system. The major 
drawback of this system is the length of the key, which makes this system impractical for most 
applications. 


2.3.2 The Playfair Cipher 


The Playfair cipher (1854, named after the Englishman L. Playfair) was used by the British in 
World War I. It operates on 2-grams. First of all, one has to identify the letters i and j. The 
remaining 25 letters of the alphabet are put rowwise in a5 x5 matrix K, as follows. Put the first 
letter of a keyword in the top-left position. Continue rowwise from left to right. If a letter occurs 
more than once in the keyword, use it only once. The remaining letters of the alphabet are put into 
K in their natural order. For instance, the keyword "hieronymus" gives rise to 


h e r o 


moO kK pe 
gras 
xo OE 
4Q th 


+t+OQ 9 5 


V 


N 


The 2-gram (x, y) = (Kj,;, Km») with x # y will be encrypted into 
(Kina Keo 5 Le pirand 7) Fn; 
(Sie KReeety Lis Send 7 ny, 


(Kigt 4 Kuviag ds. LE L$ iwand 7) =n, 


where the indices are taken modulo 5. If the symbols x and y in the 2-gram (x, y) are the same, one 
first inserts the letter g and enciphers the text ...xqy... . 
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2.3.3 Transposition Ciphers 


A completely different way of enciphering 1s called transposition. This system breaks the text up 
into blocks of fixed length, say n, and applies a fixed permutation o to the coordinates. For 
instance, with nm = 5 and 7 = (1,4, 5, 2, 3), one gets the following encryption: 


crypt ograp hical ... Ba ytrep rpgoa cliha ... 


Often the permutation is of a geometrical nature, as is the case with the so-called column 
transposition. The plaintext 1s written rowwise in a matrix of given size, but will be read out 
columnwise in a specific order depending on a keyword. For instance, after having identified 
letters a, D, ..., z with the numbers 1, 2, ..., 26 the keyword "right" will dictate you to read out 
column 3 first (being the alphabetically first of the 5 letters in "right"), followed by columns 4, 2, | 
and 5. So, the plaintext 


computing science has had very little influence on computing 
practice 


when encrypted with a 5 x 5 matrix and keyword "right" will first be filled in rowwise as depicted 
below 


A uo. Ss eS a 3 3. > 5 43 12 5 
CG Oo mM pb. u ae es eS ngpera 
t ings l1eioon fé ct a © 
ec 1 €@ nc de Se ae Ss 
e hash e on co 
adver Th os Ads “Ee 


and then read out (columnwise in the indicated order) to give the ciphertext: 
mneav pgnse olihd ctcea uschr iienu tnnct leuop yllem tfcol 


Since transpositions do not change letter frequencies, but destroy dependencies between 
consecutive letters in the plaintext, while Vigenére etc. do the opposite, one often combines such 
systems. Such a combined system 1s called a product cipher. Shannon used the words confusion 
and diffusion in this context. 


Ciphersystems that encrypt the plaintext symbol for symbol in a way that depends on previous 
input symbols are often called stream ciphers (they willdiscussed in Chapter 3). Cryptosystems 
that encrypt blocks of symbols (of a fixed length) simultaneously but independent of previous 
encryptions, they are called block ciphers (see Chapter 4). 


During World War II both sides used so called rotor machines for their encryption. Several 
variations of the machines described in the next two subsections were in use at that time. We shall 
give a rough idea of each one. 
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2.3.4 Hagelin 





The Hagelin 


Figure z.l 


The Hagelin, invented by the Swede B. Hagelin and used by the U.S. Army, has 6 rotors with 26, 
resp. 25, 23, 21, 19 and 17 pins. Each of these pins can be put into an active or passive position by 
letting it stick out to the left or right of the rotor. After encryption of a letter (depending on the 
setting of these pins and a rotating cylinder), the 6 rotors all turn one position. So, after 26 
encryptions the first rotor is back in its original position. For the sixth rotor this takes only 17 
encryptions. 
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falfajfal|fal{al] 
ealealealealetica 
Uliana 


26.25 25.2 Ao 27 


The six rotors in the Hagelin machine, 
each with its own number of positions. 


Figure 2.2 
Since the number of pins on the rotors are coprime, the Hagelin can be viewed as a mechanical 


Vigeneére cryptosystem with period 26 x 25 x 23 x21 x 19x 17 = 101,405,850. We refer the reader 
who is interested in the cryptanalysis of the Hagelin to Section 2.3 in [BekP82]. 
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2.3.5 Enigma 





r 
ES See 1 


The Enigma 
Figure 2.3 





Keyboard 


Indicator Light 
— Reflector 





Three Rotors 


A Schematic Desenption of the Enigma 
Figure 2.4 
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The electro-mechanical Enigma, used by Germany and Japan, was invented by A. Scherbius in 
1923. It consists of three rotors and a reflector. See Figure 2.4. When punching in a letter, an 
electronic current will enter the first rotor at the place corresponding with that letter, but will leave 
it somewhere else depending on the internal wiring of that rotor. The second and third rotors do 
the same, but have a different wiring. The reflector returns the current at a different place and the 
current will go through rotors 1, 2 and 3 again but in reverse order. The current will light up a 
letter, which gives the encryption of the original letter. 


Simultaneously, the first rotor will turn position. After 26 rotations of the first rotor the second 
will turn one position. When the second rotor has made a full cycle, the third rotor will rotate over 
one position. 


The key of the Enigma consists of 


1) the choice and order of the rotors, 
ii) their initial position and 
lil) a fixed initial permutation of the alphabet. 


For an idea about the cryptanalysis of the Enigma the reader is referred to Chapter 5 in [Konh8]]. 


2.4 Problems 


Problem 2.1 
The following ciphertext about president Kennedy has been made with a simple substitution. What is the 
corresponding 
plaintext? 
"rgjjg mvkto tzpgt stbgp catjw pgocm gjs" 


Problem 2.2 
Decrypt the following ciphertext, which is made with the Playfair cipher and the key "hieronymous" (as in 
Subsection 2.3.2). 


"erohh mfimf ienfa bsesn pdwar gbhah ro" 


Problem 2.3 
Encrypt the following plaintext using the Vigenere system with the key "vigenere". 


WW? SS) <a tao: Ors Varo ini woo lr” 


Problem 2.4" 

Consider a ciphertext obtained through a Caesar encryption. Write a Mathematica program to find all 
substrings of length 5 in the ciphertext that could have been obtained from the word "Brute". 

Test this program on the text "xyuysuyifvyxi" from Table 2.1. (See also the input in Example 2.2) 
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3 Shift Register Sequences 


3.1 Pseudo-Random Sequences 


During and after World War II, the introduction of logical circuits made completely electronic 
cryptosystems possible. These turned out to be very practical in the sense of being easy to 
implement and very fast. The analysis of their security is not so easy! Working with logical circuits 
often leads to the alphabet {0, 1}. There are only two possible permutations (substitutions) of the 
set {0, 1}. One action interchanges the two symbols. This can also be described by adding 1 
(modulo 2) to the two elements. The other permutation leaves the two symbols invariant, which is 
the same as adding 0 (modulo 2) to these two elements. 


Since the Vernam cipher is unconditionally secure but not very practical, it is only natural that 
people came up with the following scheme. 









Same 
Algorithm 


Algorithm 


plaintext mj, mj; 





A binary cryptosystem with pseudo-random {5;};>9-sequence. 


Figure 3.1 


Of course one would like the sequence {s;};.9 to be random, but with a finite state machine and a 
deterministic algorithm one can not generate a random sequence. Indeed, one will always generate 
a sequence, which is ultimately periodic. This observation shows that (apart from a beginning 
segment) the scheme is a special case of the Vigenere cryptosystem. On the other hand, one can try 
to generate sequences that appear to be random, have long periods and have the right 

cryptographic properties. Good reference books for this theory are [Bek82], [Gol67], and [Ruep86]. 
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In [Gol67], S.W. Golomb formulated three postulates that a binary, periodic sequence {s;},+9 
should satisfy to be called pseudo-random. Before we can give these, we have to introduce some 
terminology. 





: na at s 
‘4 SON 7; Me heey te 
ha aioe, Ae Seites it 


A run of length k is a subsequence of {s;};29 consisting of k identical symbols, bordered by 
different symbols. Ifthe run starts at moment ¢, one has in formula: 


Sty F Sp = Spay =... = Spey F St4k- 


One makes the following distinction: 


k 


ablock of lengthk: 011...10 
k 


a gap of length k : 100...01 


The autocorrelation AC(k) of a periodic sequence {5;};59 with period p is defined by: 


where A(k) and D(k) denote the number of agreements resp. disagreements over a full period 
between {5;}j+9 and {5;+x};29, which is {5;};+9 shifted over k positions to the left. So 


Atk) = [{0<i< p| si = Sisk hl, 
Dk) = [{Osi< p| 5; # Sig} |. 
Note that one can also write AC(k) = (2. A(k) — p)/ p. 


Example 3.1 
Consider a sequence that is periodic with period p given by its first p elements. 


With the Mathematica functions Count, Length, Mod, RotateLeft, and Table one easily computes 
all values of the autocorrelation function AC(k), 0 =k s p—1. 
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fa, Oo, 0, 0, -F. Qo, 0, o} 


If k is a multiple of p one has that A(k) = p, D(k) = 0, so AC = 1. One speaks of the in-phase 
autocorrelation. 


If p does not divide k, one speaks of the out-of-phase autocorrelation.The value of AC now lies 
between —1 and +1. 


Gl; The number of zeros and the number of ones are as equal as possible per period, 
i.e. both are p/2 if p is even and they are (p + 1)/2 if pis odd. 

G2: Half of the runs in a cycle have length 1, one quarter of the runs have length 2, one 
eight of the runs have length 3, and so forth. Moreover half of the runs of a certain 
length are gaps, the other half are blocks. 

G3: Wssicint dl dihens sutaconmlalice ACKk) bas the dhuie vale ie divakan afk 


G1 states that zeros and ones occur with roughly the same probability. One can count these 





occurrences quite easily with the Mathematica function Count. 





G2 implies that after 011 the symbol 0 (leading to a block of length 2) has the same probability as 
the symbol 1 (leading to a block of length =3), etc. So, G2 says that certain n-grams occur with the 
right frequencies. These frequencies can be computed by means of the Mathematica functions 
Count, Length, RotateLeft, Table, and Take. 
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The interpretation of G3 is more difficult. It does say that counting the number of agreements 
between a sequence and a shifted version of that sequence does not give any information about the 
period of that sequence, unless one shifts over a multiple of the period. A related situation is 
described in Lemma 2.1, where such a comparison made it possible to determine the length of the 
key used in the Vigenere cipher. In cryptographic applications p will be too large for such an 
approach. 


Lemma 3.1 

Let {sjh29 be a binary sequence with period p, p> 2, which satisfies Golomb's 
| Fandomness postulates, 

| Then p is odd and AC(E) has the value —1 / p when & is not divisible by p. 





Proof: Consider a px p cyclic matrix with top row So, 5}. ..., Sp-1. We shall count in two different 
ways the sum of all the agreements minus the disagreements between the top row and all the other 
rows. Counting rowwise we get by G3 for each row 1, 2 <i p, the same contribution p.AC(k). 
This gives a total value of p(p — 1).AC(k). 


We shall now evaluate the above sum, by counting columnwise, the number of agreements minus 
the number of disagreements between all lower entries with the top entries. 


Case: _p even. 


By Gl, the contribution of each column will be (p/2—-1)- p/2 =-1, since each column counts 
exactly p/2-1 agreements of a lower entry with the top entry and exactly p/2 disagreements. 
Summing this value over all columns gives —p for the total sum. Equating the two values yields 
(p— 1) AC(k) = —1. However, Equation (3.1) implies that p.AC(k) is an integer. This is not 
possible when AC(k) = —1/(p— 1), unless p = 2. 


Case: p odd. 


One gets for (p+1)/2 columns the contribution (p—1)/2-(p—-1)/2, which is 0, and for 
(p-—1)/2 columns the contribution (p — 3)/2-(p+1)/2, which is -2. Hence one obtains the 
value -(p-—1) for the summation. Putting this equal to p(p-1).AC(k) yields the value 
AC(k) = -1/ p. 


The well known y-test and the spectral test, [CovM67], yields ways to test the pseudo- 
randomness properties of a given sequence. We shall not discuss these methods here. The 
interested reader is referred to [Golo67], Chapter IV, [Knut81], Chapter 3, or Maurer's universal 
Statistical test [Maur92]. 


There are also properties of a cryptographic nature which the sequence {s;};.9 in Figure 3.1 should 
satisfy. 


C1: The period p of {s;};29 has to be taken very large (about the order of magnitude of 10°°). 


C2: The sequence {s;};>9 should be easy to generate. 
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C3: Knowledge of part of the plaintext with corresponding ciphertext should not enable a 
cryptanalist to generate the whole {s;)},;.9-sequence (known plaintext attack). 


3.2 Linear Feedback Shift Registers 


3.2.1. (Linear) Feedback Shift Registers 


Feedback shift registers are very fast implementations to generate binary sequences. Their general 
form is depicted in Figure 3.2. 


i (So,S1, ne Sn-2,Sn-1) 





General Form of a Feedback Shift Register 
Figure 3.2 


A feedback shift register (FSR) of length n contains n memory cells, which together form the 
(beginning) state (So, $1, ..., S,-1) of the shift register. The function f is a mapping of {0, 1}” in 
{O, 1} and is called the feedback function of the register. Since f can be represented as a Boolean 


function, it can easily be made with elementary logical functions. 
After the first time unit, the shift register will output so and go to state (51, 52, ..., 5,), where s, = 
F (So. $1, -++> Sn): 


Continuing in this way, the shift register will generate an infinite sequence {s;};~. 


Example 3.2 


Consider the case that n = 3 and that f is given by f(So, 53, §2) = SoS; +2. Starting with an initial state 
(Sg, 57, $2), One can quite easily determine the successive states with the Mathematica functions Mod, Do, 


and Print as follows: 
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Clear[f]; 


f[x_, ¥_- Z_] := Mod[x«ey+xz, 2); 

{#0, sl, a2} = {0, 1, 1}3 

Do[ {s80, s1, #2} = {#1, #2, £[s80, a1, 82) }; 
Print [{#0, a1, a2}), {i, 1, 6}] 


a 


it, 4.4 
{1, 1, 0 
fi, 6,1 
{0, 1, 1) 
{1, 1, 1} 
1,1, 0) 


In this section, we shall study the special case that f is a linear function, say: 
F803; Sis-02s Sn=1) = Co $0 +1 SF eo Ce Snes 
where all the c;’s are binary and all the additions are taken modulo 2. 


The general picture of a linearfeedback shift register, which we shall shorten to LF'SR, is depicted 
in the figure below. 


Co Ci 





Output 


General linear feedback shift register (LFSR) 
Figure 3.3 


The output sequence {s;};.9 of such a LFSR can be described by the starting state (so, 51, ..., Sn-1) 
and the linear recurrence relation: 


Sk+n = Did Ci Skis k > 0. (3.2) 
or, equivalently 


Luiz Ci Sk+i = 9, k 20. (3.3) 


Shift Register Sequences 33 


where c, = 1 by definition. Let s denote the state at time i, ie. s = (8;, Si41, ..-, Sian—1). Then, 
similarly to (3.2) one has the following recurrence relation for the successive states of the LFSR: 


sir = Ye og SY, k= 0. (3.4) 


The coefficients ¢; in (3.2) and Figure 3.3 are called the feedback coefficients of the LFSR. If 
c; = 0 then the corresponding switch in Figure 3.3 1s open, while if ¢; = 1 this switch is closed. We 
shall always assume that cp = 1, because otherwise the output sequence {5;};+9 1s just a delayed 
version of a sequence, generated by a LFSR with its cg equal to I. 


As a consequence, any state of the LFSR not only has a unique successor state, as is natural, but 
also has a unique predecessor. Indeed, for any k = 0 the value of s, is uniquely determined by 
Sk+1s +++» Sktn bY means of (3.2). Later on (in Thm. 3.22) we shall prove this property in a more 
general situation. 


Example 3.3 
With n = 4, co =c; = 1, c2 = €3 =O, we get the following LFSR: 





Example of LFSR with n = 4. 


Figure 3.4 


With starting state (1,0,0,0) one gets the subsequent list of successive states: 


| {e0, el, a2, 33} = {1, 0, 0, 0) 
| Do[{s0, sl, a2, B3} = {el, a2, 63, Mod[s0 +1, 2) }3 


Print [i, * =, {80, el, 82, 83}), {i, 15}] 
Oo, 0, 0} 
| fo, 0, 6, 1 
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{0, 1, 1, 0} 
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{1, 
{1, 
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1} 
1} 
1} 
0} 
0} 


0} 
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Note that the state at t = 15 is identical to the state at t =0, so the output sequence {Sj};+9 has 


period 15. 


One can easily determine the output sequence of a LFSR with the Mathematica Functions Table 


Mod, and Do as follows: 





Since there are precisely 2” ~ 1 different states in a LFSR of length n and the all-zero state always 


goes over into itself, one can conclude that the period of {s;};59 will never exceed 2” — 1. 





If an n-stage LFSR does not run cyclically through all 2” — 1 non-zero states, it certainly does not 


generate a PN-sequence. As a consequence we have the following theorem. 


Shift Register Sequences 35 


Lemma 3.2 

An a-stage LPSR that generates a PN-sequence {5;},.9 runs cyclically through all 2" = 1 
non-Zero slates. 

Any non-zero output sequence of this LFSR is a shift of {4;}).9. 


We want to classify all LFSR's which generate PN-sequences. To this end, we associate with an 
LFSR with feedback coefficients co, cj, .--, Cy-) its characteristic polynomial f(x), which 1s 
defined as follows: 


f(D) = cote, Xt... Hep HO! +x" = Yc; x4, (3.5) 


where c,, = 1 by definition and cpg = 1 by assumption. 


| Definition 3.4 
Let f = yh ac r, Then 





CUE) = (18ihieo | (silien satisfies (3.2) }. 


In words, O(f) 1s the set of all output sequences of the LFSR with characteristic polynomial f(x). 


Lemma 3.3 
Let f be the characteristic polynomial of an n-stage LFSR. Then fi(/) is a binary vector 
space of dimension n. 


Proof: Since (3.2) is a linear recurrence relation, Q¢f) obviously is a linear vectorspace. Also, 
each {s;}j.9 in Of) 1s uniquely determined by its first n entries so, 5}, ..., S,-;(thebeginning 
state), so the dimension of (/) 1s at most n. On the other hand, the n different sequences starting 
with 


0 <i<n-1, areclearly independent. So, the dimension of ((f) is at least n. 
D 
Let f be a polynomial of degree n, say f(x) = Di 9¢;x with c, #0. Then, the reciprocal 
polynomial of f(x) is defined by 
f(x) =x" fl /x) = cox t+, x7! 4. +p Xen = Do cn-i e, (3.6) 
With a sequence {s;};,9 We associate the power series (also called generating function) 
SG) => 95;x. (3.7) 


Instead of writing {s;};.9 €0Q.(f), we shall also use the notation S(x) EQ(f). We know that S(x) is 
uniquely determined by the beginning state (sg, 51, ..., S,-1) and the characteristic polynomial 
f(x). In the following theorem and corollary, we shall now make this dependency more explicit. 
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Proof: 


Six) f°) (3.6)& (3.7) (> ase x OD oC x)= 0 m | Bs (jan) Cyt s;-1) a= 
0 (Sho Cn-1 Sj-1) x! +2 jan (20 Cnt Sj) xi = 
Died (Dio Cn—1 $j) x4 +O, (Libg c7 Syinysi) 1? is 
Doh (Lica Ca Sp) 2. 
Remark: 


Note that the proof above implies that S(x) = a with u(x) = 7p (Shg Cn-1 8j-1) x/.. This 
polynomial is of degree <n and has coefficients depending on the initial state and the 


characteristic polynomial. 


Note also that the mapping S(x)—> S(x) f*(x) is one-to-one since f*(x) + 0. 


Example 3.4 


Consider the LFSR with n=5, f(x) = 1 +2° +x and take as beginning state (1,1,0,1,0).Then u(x) can be 
computed with the Mathematica function polynomialMod as follows: 





To check Theorem 3.4 up to some term x", we use (3.2) to compute the s;'s up to L (here we use the 
Mathematica functions Mod, Print, and PolynomialMoad ): 
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{a[9), e[1], e[2]), @[3), e[4]} = {1, 1, 0, 1, 0}; 


{o[0], c[1], e[2], o[3], c[4], c[5]} = {1, 0, 1, 0, O, 1}; 
a 
fetar= ) c(5-4] x; 
ind 
L = 60; 
a[i_] := [4] = Mod[a[i-5)]+a[(4-3], 2]3 | 
L 
g= )'s[i} x'; Print [8]; | 
ino 


PolynomialMod[S+*fstar, {x", 2}] 








Note that the output is indeed the same as above. 


Corollary 3.5 | 
Qf) = | 2 | degree(u(x)) <n}. 


Remark: Writing S(x) = u(x) / f*(x) means the same as S(x) f*(x) = u(x). 


Proof: From Theorem 3.4 and the remark below it we know that each member of Q(/) can be 
written as u(x) / f*(x) with degree(u(x)) <n and we know that this u(x) is unique. This proves the 
c~-inclusion. 


On the other hand, O¢f) has cardinality 2" by Lemma 3.3 and there are also exactly 2” binary 
polynomials u(x) of degree <n. 


It is now easy to prove the following lemma. 


| Lemma 3.6 
Let f and g be two (charactenstic) polynomials and let {s;}29 € 11 /f and {t),29 € Ng). 
Let lem, g] denote the least common multiple of f and g. Then 


[5) + tiling € Micm[f, 2). 
Proof: Write 4 = Icm[f, g] and 4 =a.f and 4 = b.g. Let S(x) and T(x) be the generating functions 


of (sj}j29, resp. {ti};>0. 


Corollary 3.5 implies that S(x) = u(x) / f*(x) and T(x) = v(x)/ 2*(x), where 
degree(u(x)) <degree(f(x)) and degree(v(x)) <degree(g(x)). Since 
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3 u(x) vx) a™ (a) 4x) D™) VQ) a* Cy) ex) +b") PO) 
: i re ore a ee a ne il ee Sie 
S(x) + P(x) fF) u*(a) tr) £700) ‘ b*(x) g*{a) h* (x) : 


and both a*(x)u(x) as well as b*(x)v(x) have degree less than degree(h(x)), it follows that 
S(x) + T(x) EQh). 


O 


3.2.3 Which Characteristic Polynomials give PN-Sequences? 


The period of a polynomial / with /(0) #0, is the smallest positive m such that f(x) divides 
x” —1, 1.e. the smallest positive m such that x” = 1 (mod (f(x)). It is well defined, since the 
sequence of successive powers of x, reduced modulo f(x), has to be periodic. Indeed, if 
x = x/ (mod /f (x)) and 0 <i<jthen also x! = x/-! (mod f(x)), because gcd(x, f(x)) = 1. (The 

term x has a multiplicative inverse by Corollary B.14, so we can indeed divide by x.) We can 


repeat this process until we get 1 = x‘ (mod /(x)). 


Example3.5 


Let f(x) =1 4x4 4x. Its period can be computed with the Mathematica functions While and 
PolynomialMod in the way described above. So, starting with x (trying m =1), we compute the 
successive powers of x by multiplying the previous power by x (this amounts to a cyclic shift), and then 
reducing the answer modulo f(x), until we arrive at the outcome 1. 

f= 1+ x‘+ x y m 2 1j) u=x; | 
While(u=!=1, u= PolynomialMod[x«u, {f, 2}] } m=m+1] | 






It follows from Theorem B.35 that a binary, irreducible polynomial of degree ralivides x?'~! — 1, 
so it also follows that the period m of such a polynomial will divide 2” — 1, 


(This observation can be used to determine the period of a polynomial more efficiently, however 
we shall not discuss that technique at this moment. See the end of Example 8.2) 


Lemma 3.7 
Let {s;}29 € 1S), where f is a polynomial of degree » and period m. Then {5;};.9 has a 
period dividing m. 





Proof: Write x” — | = f(x) g(x). Taking the reciprocal on both sides gives x” — 1 = f*(x) g*(x). By 
Corollary 3.5, there exists a polynomial u(x) of degree <» suchthat 








\. WO) a ee) ee) Ae nt 2m 
S(x) = Pon ee = U(x) g(x) (1 + xe + xe 4+.) 
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Since degree(u(x) g*(x)) < degree (f* (x) g*(x)) = degree (x” ~ 1) = m, we see that S(x) must have 
period m or a divisor of it. 





Proof: Let {5;};29 have period p. By Lemma 3.7, p divides m. Let S”)(=O25 5; x. It follows that 


. 1euler 
S(x) = SP) (1 txPe xP +. j= oa 





while on the other hand, S(x) = u(x)/ f*(x) by Corollary 3.5. Equating these two 
expressions yields 

SP) x) f*(x) = u(x) (x? — 1) 
and thus 

(S)(x))” f(x) = u*(x) (x? = 1). 


Since f(x) is irreducible of degree n and degree(u(x)) <n, it follows that f(x) divides (x? — 1). So, 
m, the period of f(x), must divide p. We conclude that p = m. 


Example 3.6 


Consider the irreducible polynomial f(x) =] +x 42x? +x° +x*, which has period 5, _ since 
(x —1) =(x —1) f(x). Output sequences in Q(f) also have period 5, by the above lemma, as can easily be 
checked. 





{1, 1, 0, 0} 


1 {1, 0, 0, O} 
{o, 0, 0, 1} 


it =D 


(0, 0, 1, 1} 
4 {0, 1, 1, 0} 
5 {1, 1, 0, 0} 
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A roundabout way to find an irreducible polynomial of degree n is to factor x*’~! — 1 by means of 
the Mathematica function Factor: 





are sds x) eee yee gerrer fe = rae! aes a 
ae! (ha e+x' +x! + 2) ht ie A aS es (ete oxtoad) 


a 


In Mathematica one can find an irreducible polynomial overF,, p 


prime, with the function IrreduciblePolynomial for which the package 
Algebra 'FiniteFields' needs to be loaded first. 


_ << Algebra’ FiniteFields’ | 


p=2) deg=11; sere oy as eee 
Ry IrreduciblePolynomial [x, Pp, deg] | Bie Pad i a 








1 + x" + wil 


Lemma 3.9 
Let (s;hep be a PN-sequence, generated by a LFSR with characteristic polynomial f. 
Then / is irreducible. 


Proof: Write f =/fi f2 with f, irreducible, say of degree n, > 0. 


By Corollary 3.5, the sequence 1/ f(x) €@ O(/), so the period of 1/ f(x) divides 2”! - 1 by 
Lemma 3.7 and Theorem B.35. 

On the other hand, 1/ ff () = fo(xX)/ f*0Q) € OY), so by Lemma 3.2 1/ f(x) is acyclic shift of 
{S;}ix9 and thus its period is 2” —1. This is only possible if n =n), ie. if f(x) is equal to the 
irreducible factor f; (x). 


Example 3.7 


Consider f(x) =(1 +x ¢x°)U #x 42°) =1 4x4 +x. It is easy to check that 1 +x +x? divides x» -—1 and 
that 1 +x +x? divides x’ —1. Since 3 and 7 are relatively prime, it follows that f(x) divides x?! -1. We 
conclude that each output sequence has a period dividing 21. 


This can be checked for different beginning states as follows. 
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a Tae i EL eee ice SMS, 2 oo ae Fe =. i eo gets 
fee! Atal S, oy ee rt at eae peta ary ate é sist wee Be ies en = Se nee 
Pe a, Pe) ist aceet teetc: Lee er or. an a Diet ab fe ee = eae 
oe" pe * , ee te as ee ee ee | : sates tai be le a , ‘ 4 
ai hs el ee ‘ : , rT | 7 
week Ee Sips rtp a mee Re at cere oe. f | bc wrt ' et v ss | si om 


1 104 0; 0; 0; 1) 
2 Oy, Of 0; ay 2} 
3 {O, 0, 1, 1, 1} 
4 yOn wy Dy. ty 2) 
5 fi; dy ae ay 2) 
6 foley. ‘ig thy ay. 10} 
7 ily Wy. ay. Oy a} 
8 jly ay Oy Ay OF} 
9 ji, “Og Dy 0, W} 


10 0, 2, @; 2, 
aie (ii, We hy. ey. OF 
12 VOg- hy. “a Oy 2c, 
13 tly Oe OO, dy. 2 
14 yO, Oy “te a, 0} 
15 10; Ty te 0} 0} 
16 Vos ge Oy 20g. <0 
17 jie 0; OG; Oy A} 
18 10; 0) Oy Jy. @} 
19 (0, UG, te OF OF 
20 1,03 24 0, 0, ©} 
21. Vas. “Oye Wy. 05, Oc 


The reader may want to try the beginning state (1, I, I, 0, 0) and see what the period of the output 
sequence is. This output sequence could also have been generated with the LFSR_ with 
characteristic polynomial 1 +x #3 and beginning state (1, 1, 1) (see also Example 3.11). 


We are now able to prove the main result of this subsection. We remind the reader of the definition 
of a primitive polynomial (of degree n), which is an irreducible polynomial with the property that x 
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is a primitive element in GF(2){x] /(f(x)). This translates directly into the equivalent property that 
f (x) has (full) period 2” - 1. 





Proof: Let f(x) have degree n. 


=> Let {5;};29 € ACF) be a PN-sequence. It follows from Lemma 3.9 that f(x) must be irreducible. 


Lemma 3.8 in turn implies that f(x) must have period 2”-—1, which makes it a primitive 
polynomial. 


<= If f(x) is primitive, it certainly is irreducible. By Lemma 3.8, {s;};29 has the same period as 
f(x) has, which is 2” — 1. It follows that {s;};.9 is a PN-sequence. 
D 


Mathematica finds a primitive polynomial of degree m over F, in the variable x by means of the 
FieldIrreducible function 








O, 0; Oy Ty. 0} 
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10 Ly. dy. 05 dy. 
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{ 
23 10; 0, 2 4, 
{ 
{ 
{ 
{ 
{ 
{ 
{ 
{ 


31 Ly. Dy 0, 0% 0 


To find all primitive polynomials of degree n one can factor the cyclotomic polynomial Q2°-)(x) 
(see Definition B.19). With the Mathematica functions Factor and Cyclotomic this goes as 
follows. 
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The next corollary now follows directly from Theorem 3.10 and Theorem B.40. 
, Corollary 3.11 ate 


bi aban BN cree Sree? tara 





The more or less exponential growth of y(2” — 1)/nas function of n, makes it for moderate values 
of n already impossible for a cryptanalist to guess the right primitive polynomial or to check them 
all exhaustively. 


With the Mathematica function EulerPhi one can easily verify this. 





STOTé6TSEIADONONNDNOOOOOOOOOOOO 


3.2.4 An Alternative Description of 0(f) for Irreducible f 


We shall now solve recurrence relation (3.2) for the case that the corresponding characteristic 
polynomial f = diLo c;x' is irreducible. This includes, of course, the case that f is primitive, for 
which we know that the corresponding LFSR outputs PN-sequences. 


We follow the standard mathematical method for solving linear recurrence relations. 
Substituting s; = A.a/, for all j = 0, in Stan = DIG Ci Sk4i leads to the equation 
Af? = Dr) cA 
Here A and o are elements from an extension field of GF(2) that will be determined in a moment. 
Dividing the above relation by A.a*, one arrives at a” = /:"1 ca", ie. 
f(a) = 


We shall study the case that f is irreducible in more detail. The Galois Field GF(2")= 
GF(2)[x] /(f(@x)) (see Theorem B.16) contains a zero of f as an element. Calling this zero @, we 
note that 


GF(2") = { Y%) aja’ | a; € GF(2), O<i <n}, 


with the normal coefficient-wise addition and with the regular product rule (see (B.3) ae (B.4)), 
but always reducing powers of & with an exponent =n by means of the relation @ = S24 ¢; a” to 
an expression of degree <x (as shown in the Example B.5, where the letter x is used instead of the 
symbol @.). 
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Example 3.8 
Consider f (x) =1 +x +x* and let abe a zero of f(x), so a =lt+a. 


Adding the elements 1+a +a@3 and a +a? in GF(2)[x\/(f(x)) gives 1 +a* +a@°%. Multiplication gives 
a+ae+a4+@ whichis (@ +) f(a)+U +a +e +22), 80 the resultis l+a+0a? +0. 


This could also have been computed with the Mathematica function PolynomialMod, as follows: 








Proof: We need to check several things. 


i) The sequence {Ss} j20LA.@)} joo clearly is a binary sequence, because L maps GF(2") to 
GF(2). 


ii) The sequence {s;} jo L(A.0/)} jzo Satisfies (3.2). To see this, we check the equivalent condition 
(3.3). By the linearity of L and the relation f(@) = Siig ¢; a’ = 0, it follows that 


v0 Ci Sksi = Lig G L(A.ok*!) = L(A.o* (Dh ca") = L(O) = 0. 


111) Each of the 2” choices of A € GF(2”) leads to a different binary solution of (3.3), as we shall 
now show. By Lemma 3.3, these must constitute all the elements in Nf). 


Suppose that the sequences {L(A.a/)} x0 and {L(B.a/)} jeo are identical. It follows from 
L(A.a/)=L(B.a/), 7 =0, and the linearity of L that in particular L((A — B).a/) = 0 for O< j<n. 
However, the elements !, a, ..., a@’~'form a basis of GF(2”), because f is irreducible. It follows 
from the linearity of ZL that L((A — B).w) = 0 for each field element w in GF(2"). Since L was a non- 
trivial mapping, we can conclude that A = B. 
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A convenient non-trivial linear mapping L from GF(2") to GF(2) to consider is the Trace function 
Tr, introduced in Problem B.16. 


An alternative, is the projection of an element 5:75/ a; a’ to its constant term dp. 


Example 3.9 


Take the irreducible polynomial f(x) = x* +x +1 ofdegree 4 (it even is primitive) and let aa zero of f(x), 
so f(a) =0. The Trace function is given byTr{x) = x +x? +x + 2°, 

Any element, € GF(2*) = { Yij_ja; a’ | a; € GF(2), 0 <i s 3} defines a unique binary sequence {s;} j20 
defined by s; = Tr(A.a@/). Below, we have taken A= 1 +@ + a. 


The output sequence, corresponding with any value of A, can be evaluated with the Mathematica functions 
PolynomialMod and Table, as follows: 





Ay TAPAS Ap h: MeO. Owe Let, ao) 


3.2.5 Cryptographic Properties of PN Sequences 


We shall now investigate to which extent PN-sequences meet Golomb's randomness postulates Gl- 
G3. After that, we check the cryptographic requirements C1-C3. As always, we let n denote the 
length of the LFSR. 


Ad G1: By Lemma 3.2 each non-zero state occurs exactly once per period. The leftmost bit of 
each state will be the next output bit. So, the number of ones per period is 2”-! and the number of 
zeros per period is 2"~! ~ 1, as the all-zero state does not occur. 


k 


Ad G2: There are 2”~-“+?) states whose leftmost & +2 coordinates are of the form 011 ...10, resp. 
k 


100...01. Thus, gaps and blocks of the length k, k<n-—2, occur exactly 2"-“**) times per 


period. 


n—-] 
—_— 


The state 011 ...1 occurs exactly once. Its successor is the all-one state, which in turn is followed 
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n—-] 


by state 11...10. Therefore, there is no block of length n — | and one block of length n. 


Similarly, there is one gap of length n ~ land no gap of length n. 


Ad G3: With {s;};29 € OC) also (5;+4};29 € OCF) by Lemma 3.2. The linearity of QCf) implies that 
also {8; + Sj4x¢}j29 € OCF) The number of agreements per period between {s;};>9 and {5;+4};29 equals 
the number of zeros in one period of {5;+5Sj4z};29 which is 2”-'-1by Lemma 3.2 and Gl. 


Similarly, the number of disagreements is 2”~'. Thus, the out-of-phase autocorrelation AC(k) is 
—-1/(2"-1) forall sk <2"-1. 


We conclude that PN-sequences meet Golomb's randomness postulates in a most satisfactory way. 
Let us now check C1-C3. 


Ad C1: Since the period of a PN-sequence generated by an n-stage LFSR is 2” — 1, one can easily 
get sufficient large periods. For instance, with n = 166 the period is already about 10°°. 


Ad C2: LFSR's are extremely simple to implement. 


Ad C3: PN-sequences are very unsafe! Indeed, knowledge of 2n consecutive bits, say 
Sky Sk+ls +++5 Sk+2n-1, enables the cryptanalist to determine the feedback coefficients co, cy, ..., Cn-1 
uniquely and thus the whole {s;};.9-sequence. This follows from the matrix equation: 


Sk Skil ow ow Skin-1 Co f =Sken 
Sk+1 SieQ cee awe Sk+n C1 Sk+n-1 
= : (3.8) 
Sk+n-1 Sk+n + « Sk+2n-2 Cn-1 \ Sk+2n-1 


The above system has a unique solution as we shall now show. Ifn consecutive states of the LESR 
exist that are linearly dependent, i.e. if m consecutive states span a < (n — 1) dimensional subspace, 
then this remains so because of (3.4). This, however, contradicts the linear independence of state 
(0,0, ..., 0, 1) and its n— Il successor states. We conclude that any n consecutive states (and in 
particular the n rows in the matrix above) are linearly independent. Therefore, the unknown 
feedback coefficients co, cy ..., Cr; can easily be determined. 


Example 3.10 


Assume that we know the following substring oflength 10: 1,1,0,1,1,1,0,1,0,1. Assuming thain = 5, we can 
solve (3.9) by means of the Mathematica function LinearSolve as follows: 
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{{l}, {0}. {1}. {0}, {0}) 


The feedback coefficients are: co =1, ¢; =0, cz =1, cz =0, cg =O. One can check this quite 
easily with the Mathematica Functions Table, Mod, and Do as follows: 








{1,1 Oy. tds SO, 2 By 
1, O, O, 1, 0, ly 1, Oo, Oo, 


Of course, one does not know in general what the length n is of the LFSR in use. We shall address 
that problem in a more general setting in Subsection 3.3.1. 


If only a string of 2n — 1 consecutive bits of a PN-sequence is known, the feedback coefficients 
are not necessarily unique, as follows from the example n = 4 and the subsequence 1101011. This 
remains true even if we had used the additional information that co = 1. Below we have added 
NullSpace to show the dependency in the linear relations. 





~({0, 2, 0, 2) 


(C1), (2), {0}, (0)} 
We have the solutions (1, 1, 0, 0) +A(O, 1, 0, 1) with A € {0, 1}. 


Since sequences generated by LFSR's fail to meet requirement C3, the next step will be to study 
nonlinear shift registers. However, since so much is known about PN-sequences, it is quite natural 
that one tries to combine LFSR's in a non-linear way in order to get pseudo-random sequences 
with the right cryptographic properties. 
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3.3 Non-Linear Algorithms 


3.3.1. Minimal Characteristic Polynomial 


As already mentioned at the beginning of Section 3.1, any deterministic algorithm in a finite state 
machine will generate a sequence {s;};29, which is ultimately periodic, say with period p. This 
means that, except for a beginning part, {5;};>9 will be generated in a trivial way by the LFSR with 
characteristic polynomial 1 + x?. Therefore, the sequence {s;};>9 which was possibly made in a non- 
linear way, can also be made by a LFSR (except for a finite beginning part). If this beginning part 
is non empty, not every state has a unique predecessor and the output sequence certainly will not 
have maximal period. We shall address this problem in Theorem 3.22. Here, we shall assume that 
the output sequence is periodic right from the start. The discussion above justifies the following 
definition. 


Definition 3.5 
The linear complexity (or linear equivalence) of a periodic sequence {5;),., is the length 
| of the smallest LFSR that can generate (5;},.9. 





The following two lemmas are needed to prove explicit statements about the linear complexity of 
periodic sequences. 


Lemma 3,13 
Let Aand f be the characteristic polynomials of an m-stage, resp. n-stage LFSR. Then, 
MMAcitf) -— Alf. 


Proof: 


=> Since 1/h* € O(A) c Mf), it follows from Corollary 3.5 that a polynomial u(x) of degree <n 
exists, such that one has 1/h*(x) = u(x)/ f*(x). We conclude that f*(x) = A*(x) u(x) and thus that 
F(x) = A(x) u*(x), which means that fr | f. 


<= Writing f(x) = a(x) h(x) with degree(a(x)) = n — m, one has by the same Corollary 3.5 that 


Oh) = | —_ | degree(v(x)) < m} = eanrcn | degree(v(x)) < m} 


= orci | degree(a*(x) v(x)) <n} c A(f). 


50 FUNDAMENTALS OF CRYPTOLOGY 


Example 3.11 


The sequence {s;}ix9 = 100101110... is the output sequence of the LFSR with h(x) =1+x +x and 
beginning state (1, 0, 0), as can be checked by 


n= 3) 
i@[O), e[l], e[2]} = {1, 0, O}F 
{e[O), c[1], ¢[2]} = {1, 1, O}3 


n-1 
Do[s[k] = Mod > ¢[4] «s(k-n+i], 2], {k, n, 2"}]; 
ino | 
Table[s(k], {k, 0, 2"}] 





(1, 0,0,°1, 0,4, 1, 1,0) 


However, since h(x) (1 #x +x°) =1 +x* +2, the same output sequence can also be obtained from 
the LFSR with characteristic polynomial f(x) = 1 +x* +x (see also Example 3.7). As beginning 
state one now has to take the firstfive terms of {5j};>0. 


n= 5; 
{s[0), e[ij, e[2], e{3],; e[4]} = {1, 0, 0, i; Ol; 
{c[0], c[1], c[2], ¢[3], c[4]} = {1, 0, 0, O, 1}; 


n=1 

Do[s[k] = Mod [ >" [4] eae(k-n+ij, 2], {k, ny 2"}|3 
i=0 

Table[s[k], {k, 0, 2"}] 





Let {(Sj}izg € OCU) for some f and suppose that one is looking for a polynomial h of smallest 
degree such that {s;};+9 € (4). Then, Lemma 3.13 suggests to check the divisors of f. That this is 
sufficient will be proved later. The next lemma says when one does not need to check the divisors 


ot f 


Lemma 3.14 
Let (S}inn © (Of) and S(x) = wfx)/ f(x). Then, 


Any. nee [Shing © OAD) — ecdiutx), f(x) # 1. 


Proof: Let d(x) divide gcd(u(x), f*(x)) with degree(d(x)) > 1. 





Then, S(x) = — = RENEE , 80 {5;};09 € ACF /d*). It follows that there exists a proper divisor h 
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of f, namely f/d* with {s;}j29 € Q(/). 
The proof in the reverse direction goes exactly the same. 


Theorem 3.15 

Let {sj)j29 be a binary, periodic sequence, say with period p. Let the first p terms of 
(Sjhien be given by SPH x) =H tsp T+... + Fp] ye! 

Then there exists a unique polynomial mix) with the following two properties: 

i) {sibien © {b(rr), 

| fi) Va Usiheo € MUA) — mA]. 

| The reciprocal m"(x) of m(x) is given by 


its) = - l—x? . 
NAT “god SP(x),1—xP) * 





The polynomial ne(x) is called the munimal characteristic polynomial of (5;),.0- 


Example 3.12 
Let {s;};9 have period 15 and let S!(x) = 1 4x4 #x7 4x8 4x! ¢ x)? 4x33 +x!4, Then 
gecd(x? — 1, Sx) =U tx) tx tx?) tx tx? ex tx) 42x 4%%). 
So, m*(x) = (x? =1)/ecd(x? —1, SY(x)) = 1 #23 +x? and thus m(x) =1 4x44. Indeed, this 
S(x) is the output sequence ofthe LFSR in Figure 3.4. 


The above calculations can be executed with the Mathematica functions PolynomialGCD, 
PolynomialOuotient, and PolynomialMod. 


pis; 
ie. ee ee ee ae ee re 
_g = PolynomialGcD[s, x” - 1, Modulus -> 2]; 
MSTAR = PolynomialMod[PolynomialQuotient [x*-1, g, x], 2] 








Lex +x! 


Proof of Theorem 3.15: 


Let {Sj}j29 € QU). If {5;};.9 € QCA) for some divisor h of m, replace m by h and continue with this 
procedure until it can be assumed that {s;};.9 ¢€ Q(#) for any divisor of m. 


We shall show that such an m is unique and of the form given in Theorem 3.15. 


Since the period of {s;};.9 1s p, Corollary 3.5 implies that for some u(x) with 
degree (u(x)) <degree(#1(x)), 


(p) : 
SS = SM(x) (Lt x? $272 +...) = S(x) = 


wrx)” 
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By our assumption on m and by Lemma 3.14, gcd(m*(x), u(x)) = 1, so 


a } 
ged(m™*(x), Wet Fae WO) = 1, 
It follows that 


gcd(m*(x) (1 — x”), m*(x) SP(x)) = 1 - x? 


Le. 
m*(x).ged(1 — x?, SP (x) = 1 x?. 
Hence 
* yo j—x?P 
Mm (x) = ged(1—a? S1P(x)) * 
| Corollary 3.16 


| The linear complexity of a binary, periodic sequence {s;}j.9 with period p and imitial 


segment S'Pi(x) = 525) 5; is equal to 


p — degree(gedix” — 1, 5')(x))). 


3.3.2 The Berlekamp-Massey Algorithm 


Corollary 3.16 may be of help to the designer of a non-linear system to determine how safe his 
system is against the kind of attack described in the discussion "Ad C3" in Subsection 3.2.5. 


A cryptanalist, on the other hand, who knows a segment of the output sequence, say 
So, 5}, --., Sk-1, can try the following strategy: 


1) find the smallest LFSR that generates sg, 5), ..., Sx-1, 


11) determine the next output bit of this LFSR and hope that it correctly "predicts" the next bit s; of 
the sequence. 


Definition 3.6 

Le((5;lj29) 18 the length of the shortest LFSK that generates sp, 5), .... 4-1- 

When it is clear from the context which {Sihieg 18 involved we shall simply write [,. The 
polynomial f“'(x) will denote the characteristic polynomial of any [y-stage LFSR that 
generates the sequence sp, £), ..., 5,1. 


Clearly L({sj}i29) =k for any sequence {s;}j29, since any k-state LFSR will generate 
SQ, S{, +++, Sk-1, Simply by taking so, 5), ..., S¢-1 as starting state. 
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Proof: Any LFSR of length n, n < k, that is filled with the first n symbols of {t;};.9 (which are all 
zero) will output the all-zero sequence, so %_; will not be 1. 





Proof: This is a direct consequence of Lemma 3.6. Indeed, let the LFSR's with characteristic 

polynomial f(x) and g(x) generate the first k terms of {s;};59, resp. {t;};29. Then by Lemma 3.6, 
the first k terms of {s;+4%;};29 will be generated by the LFSR with characteristic polynomial 

Iem[ f(x), g(x)]. This lem has degree at most the sum of the degrees of f(x) and g(x). 


It follows from Definition 3.6 that Zy,4; = L, for any sequence {5;};29. More can be said. 





Proof: We already know that Ly,) 2 Ly. 


k 


Let {t;};-9 be a sequence starting with 00...01 as beginning sequence. Since the LFSR with 
characteristic polynomial f(x) does generate so, $1, ..., 5;-1, but not sg, 51, ..., 5x, it follows that 
this LFSR will generate {s;+t}Kp. Since Ly,4;>LZy, we can conclude _ that 
Lyi si + tihica) = Lali t+ thing) = LeU sidina)( = Ly. 
The statement now follows with Lemma 3.17 and Lemma 3.18 from 
K+ 1 = Lyi (thio) = Livi Usibioo) + Lari (si + tibico) = Lavi + Le. 
- 


The following theorem shows that in fact equality holds in the above lemma. The proof follows 
from the Berlekamp-Massey algorithm, that constructs f(x) recursively, cf. [Mass69]. This 
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algorithm is well known in algebraic coding theory for the decoding of BCH codes and Reed- 
Solomon codes (see [Berl68], Chapter 7). 


Faas ine 

| Theorem 3.20 

| Let {s,},.9 be an output sequence. Suppose that the LFSR with characteristic polynomial 
| f°") does not output 5, correctly. Then 


Fes, = max {i,k + 1-2}. 


Proof: In view of Lemma 3.19, it suffices to find a polynomial f(x) of degree equal to 
max {ly, k + | ~ L;} that does output the first k + 1 terms of {s;};.9 correctly. This is exactly what 
the Berlekamp-Massey algorithm does in a very efficient way. 


We shall prove the theorem by induction. 


Getting the induction argument started. 
Define Lp = 0 and f(x) = 1. 
k 


o> 


The sequence 00...0 of length &k can be generated by the (degenerate) LFSR with characteristic 
polynomial f“)(x) = 1 of degree L, = 0. 
k 


The sequence 00...01 of length k + 1 can be generated by any (4 + 1}stage LFSR, but not by a 
shorter LFSR, as we already saw in Lemma 3.17. In this case, 

Liat =k+]}=k+1 —dy = max {L,. k+] — Ly}. 
This proves the first induction step. 


The induction step: k—>k + 1. 


By putting k+n= J, cj = 7. and n=Z, in (3.2), the induction hypothesis for k can be 
formulated as: 


Dit SE sjanpst = Sj Lys j2k=1, (3.9) 
If (3.9) also holds for j = k, then L,,; = Ly, f&+P(x) = f(x) and there remains nothing to prove. 
If (3.9) does not hold, then 

Lo eet 7k (3.10) 
Let m be the unique integer smaller than & defined by 


1) Ly, < Ly, 
11) Line as Ly, 


so m is the index of the last increase of L. 


Because we have already proved the start of the induction argument, this number is well defined. It 
follows from the induction hypothesis and the above definition of m that: 
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sj; ifL,<sjsm-, 


yim Ly~l ren ily ti = st a (3.11) 
Noticethat Ly = L,.4; = max{Ll,,,m+1-—-L,)=m+1—-L,. 
Define L = max {L,, k + 1—L,}. We claim that 
fQ@) = ss al 6.9 ee or mae i 6.2) 
(3.12) 


ie yl ly FOC) + hte f(x) 


will be a suitable choice for f4*!(x). 


Clearly, the first term in (3.12) has degree (L—L,)+L,=2L and the second term has degree 
(L—~k+m-—L,,) +L, < L. So, f(x) has the right degree. But also, by (3.9), (3.10), (3.11), 


Dia Sse 


Gt 12) 
OL ~Ly fru Ly) Sj-L+i er ies —Ly;) Soti-bameLy SjaL+i 


subst. waly~1 p(k) 1 pon) 
a D320 i Sj- yes if S j—Ly,~k+mstit S j-k+m 


sj+O=s8;, Leyjsk-, 
(sy titles, jek. 


This proves that the LFSR with characteristic polynomial f(x) indeed can generate so, 5), ..., Sx. 
i 


Theorem 3.20 only proves that the degree Ly, of f(x) is unique. In general, the polynomial f(x) 
itself will not be unique. 


The algorithm, described in the proof above, can be executed and summarized as follows: 
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Algorithm 3.21 Berlekamp-Massey 


input a binary sequence [5;},.9, an index w 
initialization f=1,L=0, /=0 
parameters used 
Foe» One? Stand for the characteristic polynormal and length of the LFSR 
as desired by the present iteration; 
fo, Ly : Stand for the polynomial and length just before the last change 
in length; 
diff : the difference between the present iteration number and 
the iteration number after the last change in length. 
while (s; =O) A (isu) doj=j+l 
if j=u+ 1] then STOP 
pat fa =14,=0 
f =x!*!; L = degree(/) 
k= j+1;diff=0 
while k < ndo 
begin 
if Pear, Fi Se-n4i * &, then 
begin 
Ene = man {L,k+1—£] 
-., ai qine—h + beet gh 


if 1. ¢ L then 
begin 
fa= fila = 6; 
Lam £,.; Giff = (0; 
end 
else 
begin 
diff = diff + 1; 
end 
f = fre 
end 
begin 
diff = diff + 1; 
end 
k=k+1; 
end 
output f the characteristic function of the shortest LFSR that can output 
(50, 51. ---. Su): 
Example 3.13 


Consider the sequence 
{s;}?2) = {0, 0, 0, 0, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 0}. 


The Mathematica version of the Berlekamp-Massey algorithm that we give below makes use of the 


functions Do, CoefficientList, Mod, Max, PolynomialMod, Length, and Print . Note 
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that we have combined the two while statements in the algorithm above into a single Do statement. 
All intermediate functions are also printed. 





j=4, L=0, f=1 


j=5, L=0, f=1 

1=6, L=6, f=1 5c? 

j=7, L=6, f=1+x°+x° 
j=8, L=6, f=1+x° + x°® 
429. Le6, f21 4x 4x 
j=10, L=6, f=l +x +x 
jell, Us6, £14 52° se ae? 
j=12, L=6, £=x?+x° 
j=13, L=6, f=x°+x°® 
J=14,. Lb=6, f=x° + x° 
j3=15, L=6, f=x? +x° 
j=16, L=6, f=x?+x°® 
j=17, L=6, f=x°+x°® 


J#10; bei?, £314 2° ex 
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j=19, L=12, f=1+x?° +x?’ 
j=20, L=12, £=1+x? +x?" 

j=21, L=12, f=1+x'+x!" 

j=22, U-+12, f=14+x’ +x" 

j=23, L=12, f=1+x°+x?? 

j=24, L=12, f=1+x°> +x? 

j=25, L=13, f=x+x° +x? 

5=26, L=13, f=l+x+x!? +x 

j=27, L214, f=1+x+x°+x? +x? 4x +x"4 
j=28, L=14, f=x?+x?+x"4 

j=29, L=14, f=x?+x°>+x"4 

9230; Lel6, f=lexex* +x’ 4x * ax ex! 


jJ=31, Lele, fal+ex+xtex? 4 xt? 4x17 4 x6 


3.3.3 A Few Observations about Non-Linear Algorithms 


The problem with non-linear feedback shift registers, in general, is the difficulty of their analysis. 
One has to answer questions like: how many different cycles of output sequences are there, what is 
their length, what is their linear complexity, etc. The following theorem will make it clear that it is 
possible to say at least a little bit about general non-linear feedback shift registers. 


Clearly, the output sequence of a non-linear FSR does not have maximal period if there are two 
different states with the same successor state. A state with more than one predecessor is called a 
branch point. 


Theorem 3.22 

An v-stage feedback shift register with (non-linear) feedback fuction (xp, 5), --.. f—-1) 
has no branch points if and only if a Boolean function g(s;,, #3, .... Sp-1) exists such that 
J (S0,. #15 «=< S—1) = Sg + B51, 52, --+2 Sa—1) 


Proof: Since f is a Boolean function, one can write 
FA(S0,5 Sty ces Sn-1) = BCS1,, 52, ---, Sp—1) + Sq ACS], Sa, 205 Sp—1)- 


=> If A(s,,, $2, ..., S,-1) = 0 for some (sj, 52, ..., S,-1), then both states (0, 51, 52, ..., S,-1) and 
(1, 5}, 52, ...,5,-1) Will have the same successor state. Thus a branch point would exist, 
contradicting our assumption. We conclude that A = 1. 
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«= The state (0, 8), 52, ..., 5,-)) has successor (8), $2, ---, Sn-1, 3n) With s, = g(s1, $2, ..+5 Sn-1)s 
while state (1, 5], 52, ..., S,-1) has successor (S;, 52, ..., S,-1, 8, +1). Therefore, there are no 
branch points. 


DO 


There are many ways to use LFSR's in a non-linear way. Below we depict two proposals that are 
extensively discussed in [Ruep86]. Others ideas can be found in [MeOoV97], Chapter 6. 





Combining several PN's with one non-linear function f. 


Figure 3.5 
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NonLinear Function f 





One LFSR with a non-linear output. 


Figure 3.6 


3.4 Problems 


Problem 3.1 

Let {s;};-9 be binary, periodic sequence of period 17, starting with the sequence 01101000110001011. To 
which extent does {s;};>9 satisfy Golomb's Randomness Postulates? 

(Note for the interested reader. The sequence above has its ones at the positions corresponding to the 
quadratic residues modulo 17 (see also input line above Theorem A.21). The parameters that arise when 
checking G3 can be predicted by Theorem A.22 and Corollary A.24) 


Problem 3.2 
Express the polynomial ged(x” — 1, x* — 1)in terms of x and gcd(m, n). (See also Problem A.3.) 


Problem 3.3 

Let {u;};+9 and {v;};.9 be the output sequences of binary LFSR's of length m resp. n, wherem, n 2=2.Assume 
that {uj}; and {vj}; are both PN sequences and that  gcd(m, n)=Il. Hence, also 
gcd(2™ — 1, 2” — 1) = 1(see Problem A.3). Let the sequence {w,};+9 be defined by w, = 4 v;, i = 0, and let p 
be the period of {w;};20. 


a) Prove that p is a divisor of (2” — 1)(2” — 1). 


b) How many zeros and how many ones appear in a subsequence of length (2” — 1) (2” — 1) in the 
sequence {wj};>9? 

C) Prove that (2” — 1) (2 — 1)/ p must divide the two numbers determined in i1). 

d) Prove that p = (2 — 1)(2” - 1). 

e) How many gaps of length | does the {w;};9-sequence have per period when m, n = 4? 

Problem 3.4 


Let {sj};+9 be the binary sequence defined by 


a ujh ifis2!-Llen, 
oO, otherwise. 
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So, the {s;};+9 starts like 11010001000000010. Let Z, be the linear complexity of So, 51, ..., S,—1. 
Prove that 


te Vere ane 


Problem 3.5" 
Let a binary sequence {5;};-9 have period 15 and start with 010110000101010. 
What is the minimal characteristic polynomial of {s;};29and what 1s the linear complexity of this sequence? 


Problem 3.6 

Consider the binary, periodic sequence {sj};+9 determined by the period 2!'*-1 and the values 
So = $.9_, = land 5; =0 for 0 for 0<i< 2! —-1, i#0,2?-1. 

What is the minimal characteristic polynomial of {s;};9? What is the linear complexity of this sequence? 


Problem 3.7" 

Consider the binary polynomials f(x) = 1+x+.2xand g(x) =1+.x°+x. The corresponding LFSR's are 
denoted by LFSR(f) resp. LFSR(g). Let {s;}j29 and {tj};29 denote the output sequences of LFSR(/) resp. 
LFSR(g). 

The sequence {u;};>9 is defined by uw; = 5;+¢;, © = 0. 

The 2° different initial states (so. $1, 525 to, ti, t2, t, t4) generate different periodic sequences {u;};>9. 

What are the cycle lengths (=periods) of these periodic sequences? Give an initial state of each cycle. 


Problem 3.8 
Consider the binary shift register depicted in the figure below. 





Let s = (s\?,, s\?,, ..., 54”, sp’) be the state of the shift register at time i, i = 0. 
a) Give the nXn matrix T satisfying s+? = Tsfor all i = 0. 
b) Prove that the characteristic equation of T over R is given by 


A = Cp_1 AP) 4 cpg AM + HOLA + 1. 


c) From matrix theory we may conclude that over 


T" = Cn) T’1 4 Cq_9 T8 2 +... HOUT +1, (3.13) 
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where / is the n Xn identity matrix. 
Since all elements in (3.13) are integer, equation (3.13) also holds modulo 2. 
Derive a recurrence relation between s“*”, s@*#-), ..., s@), and 5. 
d) Which LESR of length n gives the same output sequence as the above shift register? 
What does the initial state have to be in this LFSR to generate the same output sequence? 


Problem 3.9 
Let a € GF(2*) be a zero of f(x) = x +.x+ 1. So, by Theorem B.30, 
f(x) = (x-@) (x- a”) (x- a4), 
f* (x) =(4 - a3) (x ~ @°) (x - 2) = (1 — ax) (1 - a? x) (1 - 4 x). 
Prove that 2.(f) consists of all sequences 
20 (a.a! + a?.07! + at.at) x, a € GF(2?), 
(Hint: use Corollary 3.5 and use the partial fraction expansion over GF (23).) 


Note that the expression above can be written as ©}, Tr(a.o“) x’, where Tr stands for the Trace function, as 
introduced in Problem B.16. 


4 Block Ciphers 


4.1 Some General Principles 


4.1.1 Some Block Cipher Modes 


0 Codebook Mode 


Block ciphers are conventional cryptosystems that typically handle a fixed number of symbols at a 
time (under a given key) and do this encryption/decryption independent of past input blocks (see 
Figure 4.1), For the encryption process, the data (plaintext) enters the block cipher from the left 
and leaves it on the right as ciphertext. For the decryption, it is exactly the other way around. 


In the next section we shall describe a few widely used block ciphers. At this moment, the 
particular layout of such a cipher is not so important. One should view it as an electronic device 
that can convert n-tuples of bits to other n-tuples at very high speeds (under a key) in such a way 
that the reverse process 1s only feasible if one knows the key. 


Assuming that the plaintext is a long binary file, one breaks it up in segments M;, i = O, each n bits 
long. The result of the encryption of M; 1s denoted by C; and we write 


C; = BC,(M;), 1 = 0, 
where k is the key. The decryption process will be denoted by BC‘, so we have M; = BC; (C;). 


Since an n-tuple of symbols from an alphabet A can be viewed as one symbol from A”, the 
difference between an n-tuple from one alphabet or a single symbol from another alphabet is 
theoretically of little importance but may be of great practical value. 


Therefore, the key property of a block cipher is the lack of memory in the encryption device. 


It is clear that as long as the key remains the same, the same plaintext will be encrypted to the 
same ciphertext. For this reason, encryption in the mode shown in Figure 41 is called codebook 
mode. It is as if one uses a codebook or dictionary for the encryption. It may be clear that 
encrypting the same message twice under the same key is cryptographically insecure, hence, block 
ciphers are normally not used in codebook mode. 
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plaintext ciphertext 





Block 
Cipher 


Block Cipher in Codebook Mode 


Figure 4.1 


0 Cipher Block Chaining 


There are several standard methods to circumvent the problems mentioned above. One technique 
is called cipher block chaining. We assume again that one is encrypting a long file. Each 
ciphertext, say C; at time /, is not only transmitted to the receiver, but it is also added coordinate- 
wise to the next block of plaintext Mj+;. 


To this end, the encryption algorithm has to make use of some kind of memory device, commonly 
called a buffer. See Figure 4.2 below. Of course, the buffer has to be initialized before the 
encryption process can be started. 


Note that by introducing memory to this system it technically has become a stream cipher. 







Oe 
BC (Mi41, Ci) 


Cipher block chaining - Encryption 
Figure 4.2 


The decryption process reverses the above process. The buffer has to be initialized with the same 
initial value as was used to start the encryption. It can be part of the secret key or a just a fixed 
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constant. 


The notation BC® in Figure 4.3 stands for the inverse of the block cipher used for encryption. 


key 







_ (Cia) 


Buffer C; 


Cipher block chaining - Decryption 
D Figure 4.3 


Remark: 


Note, that when C; = Cj, for some i< j, in Figure 4.2, one has that M; ®Cj-; = Mj; ®Cj-1,.e. 

Ci-1 8 Cj-; = M;®M,;. This means that the modulo sum of the two previous ciphertexts is equal 
to the sum of the ciphertexts Mj; and M,. In many situations this means that some information 

about the plaintext leaks away. For instance, as we can deduce from Example 5.2 , the modulo 26 
addition of two English texts (with a Vigenere Table (Table 2.3) will still have sufficient structure 

to enable a unique reversal of the addition process. 


The above observation is reason to go to longer block lengths than the ones most commonly in use 
today (being 64 bits). 


© Cipher Feedback Mode 


Another way to make sure that a block cipher under the same key encrypts the same plaintext at 
different moments into different ciphertexts is called the cipher feedback mode. 


This method is depicted in Figure 4.4 below, but in a more general setting. In many practical 
situations, for instance in many internet protocols, one wants to transmit only a few bits at a time, 
say r bits, where r is less than the block length of the block cipher. 


Instead of padding the r bits with n — r zeros in order to get an n-tuple that can serve as input for a 
block cipher, one adds the r-tuple coordinatewise modulo 2 to the r leftmost output bits of the 
block cipher. The input of the block cipher is given by the contents of a shift register (without 
feedback) that at each clock pulse shifts r positions to the left to accommodate the r bits of the 
previous ciphertext. 
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«- r-bits shift 


Shift Register 





Cipher Feedback Mode 
Figure 4.4 


4.1.2 An Identity Verification Protocol 


In this subsection, we want to give an idea how a block cipher can be used in an identity 
verification protocol. Such a protocol is a discussion between two parties in which one of them 
wants to convince the other that he is authentic. An application is, for instance, a smart card of a 
person, say Alice, who wants to withdraw money from her account through a card reader of a bank. 


While issuing the card to Alice, the bank stores two numbers on it: 


- the identity number Id, of Alice, 


- the secret key k,4 of Alice. 


The key k, can not be accessed from the outside world; it does not even have to be known to 
Alice. The identity number can be accessed by any card reader (it may even be printed or written 
on the outside). They are related by 


ka = BCox (da), (4.1) 


where BC stands for a block cipher and MK for the bank's master key. MK is stored in every card 
reader of the bank. It would be impractical to store the secret keys of all customers in each card 
reader. 


The block cipher BC is also implemented on the card. 


When the card is inserted into the card reader, it will be asked to present its identity number ( Id,in 
our case). A genuine card reader can now compute Alice's secret key k, from (4.1). 


The card reader generates a random string r of n bits and presents it as a challenge to the card. The 
card returns BC;,(r) as its response to the card reader. The card reader simply verifies this 
calculation. If the card's answer to the challenge ris correct, the card reader "knows" that kz, is 
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stored on the card and it will conclude that the card is authentic. Otherwise, it will not accept the 
card. 


Card Reader 


knows k, ID knows MK 
ID 


computes k = BCyx (ID) 
generates randomr 
as challenge to card 


computes c = BC, (r) 


checks if c = BC, (r) 
An identity verification protocol. 
Figure 4.5 


The card can use the same protocol to check that the card reader is genuine. It sends its challenge 
to the card reader. The reply by the card reader can only be correct if the card reader is able to 
compute the secret key ka, 1.e. 1f the card reader knows the bank's master key MK. 


Normally, a Personal Identification Code (PIN) is used to link the card to the card holder. 


4.2 DES 


0 DES 


In 1974 the National Bureau of Standards (NBS) solicited the American industry to develop a 
cryptosystem that could be used as a standard in unclassified U.S. Government applications. IBM 
developed a system called LUCIFER. After being modified and simplified, this system became the 
Data Encryption Standard (DES for short) in 1977. 


Right away, DES was made available on a fast chip. This made it very suitable for use in large 
communication systems. The complete design of DES has been made public at the time of its 
introduction. This has never been done before, although in each textbook one can find the remark 
that the security of a cryptosystem should not depend on the secrecy of the system. 


We shall not give a complete description of DES. The reader is referred to [Konh81], [MeyM82], 
[MeOoV97], or [Schn96]. 


DES is a block cipher operating on 64 bits simultaneously (see Figure 4.6). 


The key consists of eight groups of 8 bits. One bit in each of these groups is a parity check bit that 
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makes the overall parity in each block odd. So, although the keysize appears to be 64, the effective 
keysize is 56 bits. 





ciphertext 






plaintext 


64 bits 64 bits 





The Data Encryption Standard 
Figure 4.6 


DES consists of 16 identical rounds. The 64 input bits are divided into two halves: the 32 leftmost 
bits form Lo and the 32 rightmost bits form Ro. 


In each round, a new L and R are defined by 


L,=R;-), |sis 16, 
R; = Lj-; ® f(Ri-1, Kj), 1 sis 16. (4.2) 


Here, K; stands for a well-defined subsequence of bits from the key K. 


Further, f is function of the previous right-half and this subkey X;. This function is defined by 
means of a collection of fixed tables, called substitution tables. The outcome is added 
coordinatewise modulo 2 to L;-;. Note that Z; is simply the previous right-half. (See Figure 4.7 
below.). 


The final output of DES is formed from Lyj¢ and Rj¢. 





A Typical Round of DES 


Figure 4.7 
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In Figure 4.7 one can see that the inverse algorithm of DES can be computed from the same 
scheme by simply going from the bottom to the top. Indeed, it follows from (4.2) that for all 
1<i< 16 


R;-) = [; 
L;-) =R; ® f(Ri-1, Ki) = R; ® f(Li, Kj). 


Many people have criticized the decision to make DES a standard. The two main objections were: 


1) The effective keysize (56 bits) is too small for an organization with sufficient resources. An 
exhaustive keysearch 1s, at least in principle, possible. 


ii) The design criteria of the tables used in the f-function are not known. Statistical tests however 
show that these tables are not completely random. Maybe there is a hidden trapdoor in their 
structure. 


During the first twenty years after the publication of the DES-algorithm no effective way of 
breaking it was published. However, in 1998, for the first time, a DES challenge has been broken 
by a more or less brute-force attack. 


4 Triple DES 


When it became clear that DES could no longer be used to protect sensitive data, a modification 
was introduced, called Triple DES. It consists of three DES implementations in a row, except that 
the middle one is orientated the other way around. Thus, one has DES, DES‘, and then again 
DES. See Figure 4.8 below. 





Triple DES 
Figure 4.8 


There are two interesting things to note about this design. First of all, the third key is the same as 
the first key. The effective key search is 2x56 = 112 in this way. This is considered to remain 
secure for many years to come. 


The second observation is that the cipher in the middle is DES* instead of DES. 


These two features make it possible to keep systems in which Triple DES is implemented 
compatible with single DES systems. Indeed, by taking the keys | and 2 the same, the above 
system reduces to a single DES scheme. 
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4.3 IDEA 


There are quite a few alternatives to DES. One reason for looking for them may have been the 
export restrictions by the American government, another, the costs and patent rights. Contrary to 
DES, which uses well chosen tables in each round, some of the alternatives make use of several 
mathematical primitives that are algebraically uncorrelated. 


IDEA [Lai92] is such a system. The name stands for International Data Encryption Algorithm. 
IDEA also handles 64 bits at a time (see the remark in Subsection 4.1.1 about this size), but has a 
key of 128 bits. It consists of 8 identical rounds, which are depicted in Figure 4.9. The 64 bits are 
equally divided over four blocks of 16 bits each. These blocks are called X;, 1 <i <4, at the input 
side of a typical round and Y;, 1 <i <4, on the output side. The entries K;, 1 < i < 6, denote 
substrings of the key. Their composition depends on the particular round that has taken place. 


The mathematical primitives in IDEA operate on these 16 bits. They are the following operations. 


° Coordinatewise XOR (addition modulo 2). 
In Figure 4.9, this is depicted by ®. 


In Mathematica the XOR can be performed with the Mod function (here shown on 4-tuples). 








ip - ae : 


; ; 
by = . 
at eats at ee 


. Addition modulo 2?°. 





In Figure 4.9, this is depicted by a square with a plus sign init B. 


Interpret the two inputs as the binary representation of two integers. Add these integers modulo 2!° 
and output the binary representation of the sum. 


In Mathematica this can be performed with the FromDigits and IntegerDigits functions 
(here shown on 4-tuples). 





Block Ciphers a 


apes hig ae 
ee i seals ear gal 
Bath 
ee ee 
tae es. ae - = 
nie a = is 7 
 ¥g9 ar bee ae 
Th A fe ee eee Sad i 
ee ee a c 
ar =, 7 x 
{1 ry 0, 0 ry 1} 


° Multiplication modulo 2!° + 1. 
In Figure 4.9, this is depicted by ®. 


Interpret the two inputs (binary 16-tuples) as the binary representation of two integers modulo the 
prime number 2!° + 1 = 65537. Make an exception for the all-zero word which will be identified 
with the integer 2'©. In this way we have a 1-1 correspondence between binary 16-tuples and the 
elements of Z5<537 (see Example B.3). 


Multiply these two integers modulo 2!® +1, and output the binary representation of the product 
16 16 


(but map 10...0 to0...0). 


Since, 2'©+1 is prime, the multiplication axb (as defined above) is a one-to-one mapping for 
fixed a or b. Below we demonstrate this again for 4-tuples. Note that 2* + 1is also a prime number. 





E11, 0, Ojek- 


The reader is invited to multiply the sequences {1, 0, 0, 0} and {0, 0, 1, O}. 
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Yy Y2 ¥3 Ya 


One Round in the International Data Encryption Algorithm 
(IDEA) 


Figure 4.9 


As with DES, IDEA can be inverted by simply going through it from the bottom to the top. 


4.4 Further Remarks 


RCS is a scheme that is a little bit similar to IDEA. Its algebraic primitives are again the exclusive 
or and addition modulo 2”, where w is the word length, but instead of the multiplication modulo 
2” + 1, which only works if 2” + 1 is prime, RCS makes use of cyclic shifts. 


The word length of RCS is 2w, where the user can select w from 16, 32, or 64. An additional 
advantage of RCS is the freedom to choose the number of rounds in the scheme. Depending on the 
required speed and security, the user may opt for many or just a few rounds. 


In 1993 two attacks on block ciphers were published, that turned out to be surprisingly strong. 
These methods are called linear and differential cryptanalysis (see [MatsY93], resp. [BihS93]) and 
are in fact known plaintext attacks. Several proposed block ciphers were not strong enough against 
these attacks, however the DES algorithm could withstand it. Later it became clear that the 
inventors of DES were already aware of these attacks. For further reading we like to mention 
[Knud94]. 
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At the time of this writing, a collection of proposals are being studied by the (American) National 
Institute of Standards and Technology (NIST for short) for a new industrial standard. The names of 
these proposals are CAST-256, CRYPTON, DFC, DEAL, E2, FROG, HPC, LOKI97, 
MAGENTA, MARS, RC6, RISNDAAEL, SAFER+, SERPENT and TWOFISH (see the web page 
‘Advanced Encryption Standard’ http://csrc.nist.gov/encryption/aes/aes_home.htm). The outcome 
of this study is not yet clear. 


4.5 Problems 


Problem 4.1 
Describe the decryption process for a block cipher used in of cipher feedback mode. 


Problem 4.2 

Consider a block cipher that is used in cipher block chaining mode. Suppose that during transmission, C;, 
the i-th ciphertext block, is corrupted. How many plaintext blocks will be affected? 

Answer the same question for the case of cipher feedback mode. 


Problem 4.3 “ 

What is the next sensible block length of IDEA, if the same scheme and the same primitives are being 
used, but only the length of the registers is increased? (This length is 16 in IDEA.) 

What is wrong with the intermediate values? 
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<) Shannon Theory 


5.1 Entropy, Redundancy, and Unicity Distance 


In Chapter 2, we have seen that the cryptanalysis of a cryptosystem often depends on the structure 
that is present in most texts. For instance in Table 2.1 we could find the key 22 (or -4), because 
"tu quoque Brute" was the only possible plaintext that made sense. 


This structure in the plaintext remains present in the ciphertext (although in hidden form). If the 
extra information arising from this structure exceeds our uncertainty about the key, one may be 
able to determine the plaintext from the ciphertext! 


We shall first need to quantify the concept of information. Let X be a random variable defined on 
a set X = {x1, X, ..., X,} by the probabilities 


Prx(X = x;) = pi, l<isn. 
So, 2, pi = | and p; =O foralll <i<n. 
We shall show that 
J (pi) = —log, pi (5.1) 


is a good measure for the amount of information given by the occurrence of the event x;, 1 si<n. 
The base 2 in (5.1) can be replaced by other choices, but reflects our intuitive notions about 
information, as we shall see. With 2 as choice for the base in the logarithm the unit of information 
is acalled a bit. 


Let X = {x} above (so n= 1). Then p; = 1. Now the occurrence of an event x that occurs with 
probability 1 (like the sun will mse again tomorrow) gives no information whatsoever. This 
corresponds nicely with J(1) = 0 in (5.1). 


Now consider an event that occurs with probability 1/2, like the specific sex of a newborn baby. 
So, now X = {b, g}. Assuming that both sexes have the same probability 1/2 of occurring, such an 
outcome gives precisely one bit of information. For instance, a 1 can denote a boy and a O can 
denote a girl. This one bit of information is again in agreement with J(1/2) = 1 in (5.1). 


If an event occurs with probability 1/4, then its occurrence gives two bits of information. This is 
clear in the case that there are four possible outcomes, each with probability 1/4. Each outcome 
can be represented by a different sequence of two bits. 


On the other hand, the amount of information that an event gives, when it has a probability of 1/4 
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to occur, should be independent of the probabilities of the other possible outcomes. Thus, the 
value J (1/4) = 2 (see (5.1)) agrees again with our intuition. Continuing in this way one gets 


JUL/2) =k, k20. (5.2) 


The expected value of stochastic variable J(Prx(X)), defined over X,is called the entropy of X 
and will be denoted by either A(X) or by A (p), where p=(pi, po, ..-, Pn). Hence, 
H(X) = Exp (Prx(X))) = die pi J (pi) = — Lei Pi 1082 Pi: 


H(p) = — LA: pi log, pi. (5.3) 
When» = 2, one often writes p; = p, p2 = 1 — p, and h(p) instead of H (p): 
A(p) = ~ p.log, p- (1 - p).log,(1 — p), Ospsil. (5.4) 


Since x.log, x tends to 0 for x - 0, there are no real problems with the definition and the continuity 
of the entropy function H (p) when some of the probabilities are O (or 1). 


The function h(p) is depicted below (with the Mathematica functiion Plot). 





02 Od 0.6 OB 1 
entropy function A(p) can be evaluated as follows. 
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One can give the following interpretations to the entropy H(X) of a random variable X: 


- the expected amount of information that a realization of X gives, 
- our uncertainty about X, 
- the expected number of bits needed to describe an outcome of X. 


With these interpretations in mind one expects the entropy function H(X) to have the following 
properties: 


Pi A(pi, P25 -2+5 Pn) = H(p,, P25 ves Pn» 9) 


P2: H(pi. P2; Sa) Pn) = A (pou), Po(2)s mesg Potn))s 
for any permutation o of the index set {1, 2, ..., 7}. 


P3: Os A(p, pr, .... Pn) S H(1/n, 1/n, ..., 1/n). 
P4: (py, pr, ---5 Pn) = H( Pi, 2s +5 Pn-2s Pn-1 + Pn) + (Pn-1 + Pn) H(—2=, —2—}. 


Pn-1*+Pn = Pn-1t+Pn 
The interpretations of these properties are straightforward. 


Pl says that adding another event to X but one with probability 0 of occurring does not affect the 
uncertainty about X. 


P2 states that renumbering the different events in X leaves the entropy the same. 


P3 says that the uncertainty about X 1s maximal if all events have the same probability of 
occurring. 


Finally, P4 states that the expected number of bits necessary to describe an outcome from % is 

equal to the number of bits necessary when combining events x,-; and x, into a single event, say 

Xn-, plus the number bits to necessary to distinguish between events x,-; and x, conditional to the 

fact that event X,-; did occur. 

toi i td 

4° 4° 4° 4 
Z 


Hh 4 4)+h.a(h. H)=(f2¢4 24 2a)s 


For instance, ifm = 4,then A( 


Although we shall not prove it here, it can be shown [Khin57] that (5.1) 1s the only continuous 
function satisfying (5.2) yielding an entropy function }72, p; J(p,) satisfying the above mentioned 
properties P1-P4. 


Example 5.1 


Consider the flipping ofa coin. Let Prihead) = p and Pri(tail) = 1 -— p, Os p <1. The entropy is given by 
(9.4). 


That h(1/2) = 1 is of course confirmed by the fact that one needs one bit to represent the outcome of the 
tossing ofafair coin. For instance, 0 « heads and 1] ¢ tails. 
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Since h(1/4) ~ 0.8113 one expects that on the average only 0.8113 bits are needed to represent 
the outcome of the tossing of an unfair coin with Pr(head) = 1/4. This statement is true in the 
sense that one can approach the number 0.8113 arbitrarily close. In the Chapter 6 we shall show 
how this is done. The trick will be to represent the outcome of many tossings together by one 
single string of bits. For instance with two tossings one can represent the outcomes as follows: 


two tossings probablity representation 


hh Ly 16 vay 
Ae oe eo) 110 
th 3/16 10 
a G46 0 


The expected length ofthis representation is 


1 3 3 9 07, 
rr; Perea 2-15 ia 


But each representation describes two outcomes, so this scheme needs 27/32 ~ 0.843 bits per 


tossing. Taking three, four, ... tossings at a time leads to increasingly better approximations of 
h(1/4). 


There is however a problem to address, namely that the receiver ofa long string of zeros and ones 
should be able to determine the outcomes of the tossings in a unique way. One can easily verify 
that any sequence made up from the subsequences 111, 110, 10 and 0 can only be broken up into 
these subsequences injust one way . We shall address this problem extensively in Chapter 6. 


Example 5.2 (Part 1) 


The 26 letters in the English alphabet can be represented with log,26 ~ 4.70 bits per letter, by coding 
sufficiently long strings of letters into binary strings. Indeed, for k letters one needs [logy 26") bits and 
thus one needs [log, 26*}/k bits per letter, which converges to log, 26. 


On the other hand, the entropy of 1-grams can easily be computed with the probabilities given in 
Table 1.1. One obtains 4.15 bits per letter. 


Also for bi-grams and tri-grams these computations have been made (see [MeyM82], App.F. One 
gets the following values: 


H(1-grams) 4.15 bits/etter, 
H(2-grams)/2 ~ 3.62 bits/etter, 
H(3-grams )/3 x 3.22 bits/letter. 


According to some tests the asymptotic value for n - e0 is less than 1.5 bits/letter! 
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Definition 5.1 

Let (Xg, Xj... Age), #2 1, denote the plaintext generated by a plaintext source & over 
the alphabet #3. 

Then the redundancy ©, of (Xp. X1, ..., X_-1) is defined by 


De =HA— A Xn Ay, er Ag=|): 





| The quantity 6 = 0, /n stands for the average redundancy per letter- 


If the alphabet size is g and each symbol is represented by log, gq bits, the redundancy is given by 
D, = n.logy q - H(Xo, Xi, ..., Xn-1). Ifa different representation of the alphabet symbols is used, 
say with an _ expected representation length of / bits per symbol, we have 
D, =n. —- H(Xo, X}, -... Xn-1). 


The redundancy measures to which extent the length of the plaintext exceeds the length that is 
strictly necessary to carry the information of the text (all measured in bits). 


Let us now turn our attention to a cryptosystem € consisting of cryptographic transformation Ey 
indexed by keys k from a key space ‘*K. Assume that the unknown plaintext is a regular English 
text. In the context of this chapter we assume that the cryptanalist has unlimited computing power. 
So, given a ciphertext a cryptanalist can try out all keys to check for possible plaintexts. As soon as 
the ciphertext is just a few letters long, some keys can be ruled out because they lead to 
impossible or improbable letter combinations in the plaintext. The longer the ciphertext, the more 
keys can be ruled out. They violate the structure or interpretation of English texts. More formally, 
they violate the redundancy in the plaintext. Sooner or later, only the key that was used for the 
encryption remains as only candidate. 


Let us return to the general setting. Let n be the length of the plaintext (in bits). There are 2” 
possible binary sequences, but only 2/(*0-*1---%n-1) represent meaningful messages. The 
probability that a decryption with the wrong key hits a legitimate message is 2/“o%1---%n-1) /2", Tf 
all keys are tried out and all are equally likely, one expects to find |K | 2% (%o¥1--An-1) 72” 
meaningful plaintexts. Let K denote the uniform distribution over the key space *K . Then 
|K | =24%™and one can write that 244) 24(%o.%1..-.Xn-1) /2” meaningful messages are expected. If 
this number is less than 1, very likely it will be just the key used for the encryption that will 
survive this analysis. The above happens if 


H(K)+ H(Xo, X), ..-, Xn-1) — 2 = 9, 
i.e. if the redundancy satisfies 
D, = HK). 


If K does not have a uniform distribution, we can still use the interpretation that H(K) denotes the 
uncertainty about the key to repeat the above reasoning. 


80 FUNDAMENTALS OF CRYPTOLOGY 


Definition 5.2 

Consider a ciphertext-only attack on a cryptosystem € with key-space ‘K and plaintext 
source &. Then the wnicity distance of this cryptosystem is defined by 

min{ne M* |D, = A(K)), 


where H(A) is the entropy of the key and D, the redundancy in the plaintext. 





As soon as the redundancy in the plaintext exceeds the uncertainty about the key, the cryptanalist 
with sufficient resources may be able to determine that plaintext from the ciphertext. Thus, the 
unicity distance indicates the user of a cryptosystem when to change the key in order to keep the 
system sufficiently secure. 

Example 5.2 (Part 2) 

We continue with Example 5.2. Assume that a simple substitution has been applied to an English 


text (see Subsection 2.1.2). Assuming that all 26! possible substitutions are equally likely, one has 


H(K) = -Y 78; 5 log, 35; = log, 26! ~ 88.382 bits. 


If one approximates the redundancy Dy in a text ofn letters by (4.70 -—1.50)n = 3.20n bits, one 
obtains a unicity distance of 88.4 {3.2 28 characters. 


According to Friedman [Frie73]: "practically every example of 25 or more characters 
representing the mono-alphabetic substitution of a "sensible" message in English can be readily 
solved." These two numbers are in remarkable agreement. 


5.2 Mutual Information and Unconditionally Secure Systems 


Quite often random variables contain information about each other. In cryptosystems, the plaintext 
and the ciphertext are related through the key. In this section we shall give a formal definition (in 
the information theoretic sense of the word) of an unconditionally secure cryptosystem 


Let X and Y be two random variables, defined on WX resp. Y. The joint distribution 
Pry y(X = x, Y = y) of X and Y 1s often shortened to just 


Px y(X, y). 


Similarly, the conditional probability Prxyy(X =x|Y¥ = y) that X = x, given that Y = y, is 
denoted by 


Pxy(x | y). 
It satisfies the relation 


Pxy(X, Y) = pxyy(*| y).py(y) (5.5) 


Shannon Theory 81 


The uncertainty about X given Y = y is defined analogous to the entropy function by 
H(X|Y = y) =~Qiki pxyyl y).log, px y). (5.6) 


It can be interpreted as the expected amount of information that a realization of X gives, when the 
occurrence of Y = y is already known. 


The egquivocation H(X|Y) or conditional entropy of X given Y is the expected value of 
H(X|Y = y) overall y. In formula, 


H(X |Y) = Lyey py(y).H(X |Y = y) 
(5.6 


Sey Py). Lrex Pax y)Jogy pxyy(x] y) 
(5.7) 


(5.5) 
=" —Yrex Lyey Py(y)-pxiy(x| y).log, pxyy | y) 


= ek diyey Px.y(x, y).log, Pxiy(x | y). 


Let H(X, Y) be defined analogously to the entropy function H for one variable. 





Proof: We use (5.5) and (5.7). 
H(X, Y)= 
= —Drex Lyey Px.y(s, y).log, px,y(x, y) 
= —Diex Lyey PxY( y).log, py(y) — Dex Lyey Pry y)-logs puy@ly) 
= —)iyey Py(y).log, py(y) + H(X |Y) = H(Y) + H(X |Y). 
The second equality follows by asymmetry argument. 
O 


In words, the above theorem states that the uncertainty about a joint realization of X and Y equals 
the uncertainty about X plus the uncertainty about Y given X. 





Proof: To prove i) we repeat the proof of Theorem 5.1 with px y(x, y) = px(x).py(y). 
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H(X, Y) = - Dex Ley PrU® y) logy pry(a, y) 
= ~ Lxex divey px.y(x).log, Px(X) - Dien duyey PY y).log, py(y) 
= —Virex Px(x).log, pxQ) — Yyecy py(y).log, py(y) 


= H(X)+H(Y). 


Statements i1) and 111) follow directly from 1) and the chain rule. 


The amount of information (see (5.1) that a realization Y = y gives about a possible realization 
X =x can be quantified as the amount of information that the occurrence of X = x gives minus 
the amount of information that X = x will give when Y = yis already know. We denote this by 
Tx.y(x, y). It follows that 


Ix y(x; y) = (-log, px(x)) — (-log, pxyy(*| y)) 





()  G>) px(X).py(y) 
= —log, PAY) “2? — Jog, PAWPYO ~ Ty oy; x). 
82 Dxyiaty) 2 year = HxO> 2) 


Note the symmetry in Jy y(x; y) = Iy.x(y; ). 
The mutual information I(X; Y) of X and Y is defined as the expected value of Zy y(x; y), Le. 
13 y) = —Lrex Lyey PAY Y)Ax.yOs y) 


PX(X).py(y) 


= — DixeX divey Px,y(%, y).log, Px yy) (5.8) 





= Px) _ ; 


Theorem 5.3 
AF) = A(X) + AY) — A(X, ¥) = A(X) — A(X |) = ACY) - AY |X). 
Proof: From (5.8) it follows that 
[(X;Y)= 


P(r) 
Pxy Gly) 





= —Liex Lyey Px.yl% y)-log, 


= — rex Ley PNY Y).log, px(X) + Dex Dyey PxYO, Y).log, pxyy(x| y) 


The other statements follow from Theorem 5.1. 


0 


I(X; Y) can be interpreted as the expected amount of information that Y gives about X (or X about 


Y). 
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Example 5.3 


The binary symmetric channel can be described as follows. A source sends X =0 or X = I, each with 
probability 1/2. The receiver gets Y = X with probability 1 — p and Y =1-—-X with probability p. It 
follows that ¥ = Y¥ ={0, l}and that 


Py 0) = pyv(0|0) px(0) + py wl) px) =U —p).4 + p.> = - 


Similarly, py(1) = 1/2. Also py y(0, 0) = px yU, 1) =U — p)/2 and 
Px.y(O, 1) = pay, 0) = p/2. So, for the binary symmetric channel we have by (5.8) 


I(X;Y) = -2{4F log, = +£ log, 2) = 


= 1+ p.log, p+(1 — p).log,U — p) =1—-H(p). 


We conclude that the receiver gets 1 - H(p) bits of information about X per received symbol Y. 
How to approach this quantity I - H(p) is the fundamental problem in algebraic coding theory 
[MacWS77], Section 1.6. 


For p = 1/2 the receiver gets no information (since H(1/2) =1) about the transmitted symbols, 
as is to be expected. 


Let us now return to the conventional cryptosystem as explained in Chapter 1. Assume that a 


probability distribution Pr¢(K =k) is defined on the keyspace K and let the sequence of random 
variables 


Mw“ = (Mo, M,, trey M,-1) 
denote the plaintext, and let 
OO = (05. C iy cy Cy) 


denote the ciphertext. So, C” = E,(M™). In most applications v will be equal to u. Since Ey is a 
one-to-one mapping, the plaintext is uniquely determined by the key and the ciphertext, therefore, 
one has 


H(M“™|K, C™) = 0. (5.9) 


Of course the user of the cryptosystem is interested to know how much information C™ leaks 
about M™), 





iM™. cM) = At") — AK) 


In words: the uncertainty about the key together with the information that the ciphertext gives 
about the plaintext is greater than or equal to the uncertainty about the plaintext. Again, this 
reflects our intuition. 
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Proof of Theorem 5.4: 
By (5.9) and the chain rule (Thm. 5.1, which also applies to conditional entropies) one has that 


H(K|C”) = H(K | C™) + H(M | K, C) = H(M®, K{C™) 


= H(M®|C™) + H(K [M®,C™) = H(M® | O%). 


In words: given the ciphertext the uncertainty about the key is at least as great as the uncertainty 
about the plaintext. This reflects the property that knowing the ciphertext, one can reconstruct the 
plaintext from the key, but not necessarily the other way around. 


It follows that 
H(M|C) < H(K|C”) < H(R) 
and by Theorem 5.3 that 
1M: CO) = H(M"™) —- H(M™ | C™) 2 H(M”) — H(K). 


Definition 5.3 
A cryptosystem is called wiconditionally secure or is said to have perfect secrecy if 
iam, cM = 0. 


A necessary condition for a cryptosystem to be unconditionally secure is given by 


H(M™) = ALK). 


In cryptosystem where all keys and all plaintexts are equally likely, Corollary 5.5 states that you 
need to have at least as many keys as plaintexts. 


Example5.4 
Suppose that we have 2* keys, all with probability 1 /2*. Then 
H(K) = 7, +r -log, = =k bits. 
If the messages are the outcome of u tossings with a fair coin, one has in a similar way that 
H(M™), so, for perfect secrecy one needs k =n. 


This can be realized the encryption c =m“ @k™, where k™ stands for the first u bits of the key 
k and where @ stands for a coordinatewise modulo 2 addition. With this encryption, with each 


ciphertextc™ each possible plaintext is still equally likely. 
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5.3 Problems 


Problem 5.1 
Show that function —}7_, p;.log, p; satisfies properties P1-P4 in Section 5.1. 


Problem 5.2 
Leta < 1/2. 


a) Prove that 
| n” (") n" 
eas sateen < 
n+ 1 kk(n-ky*® Nk} kkK(n—ky*. 


b) Show that these inequalities imply that 


lim | jog sien) () = h(a) 
X00 n i=0 i + 


where /i(x) is the entropy function defined in (5.4). 


Problem 5.3 

Assume that the English language has an information rate of 1.5 bits per letter. What is the unicity distance 
of the Caesar cipher, when applied to an English text? 

Answer the same question for the Vigenére cryptosystem with key length r. 


Problem 5.4 

Consider a memoryless message source that generates an output letter X that is uniformly distributed over 
the alphabet {0, 1, 2}. 

After transmission over a channel the symbol Y, that is received, will be equal to X with probability 1 — p, 
0 < p < 1, and it will be equal to any of the other two letters in the alphabet with probability p/2. 

Compute the mutual information /(X, Y) between X and Y. 


Problem 5.5 

Let S be a plaintext source that generates independent, identical distributed letters X from {a, b, c, d}. The 
probability distribution is given by Pr(X =a) = 1/2, Pr(X = b) = 1/4, and Pr(X =c) = Pr(x=d) = 1/8. 
Consider the two coding schemes: 


a ———> 00 a —— 0 
b —— 01 b ——> 10 
c ——— 10 c —— _ 110 
qaqa ——> i1 qa ———— 111 
schemeA scheme B 


The output sequence of the plaintext X is first converted into a {0, 1}-sequence by means of one of the 
above coding schemes and subsequently encrypted with the DES algorithm. 
What is the unicity distance for both coding schemes? 


Problem 5.6 
Prove that the one-time pad is an unconditionally secure cryptosystem. 
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6 Data Compression Techniques 


It is clear from Chapter 5 (see Definitions 5.1 and 5.2) that the security of a cryptosystem can be 
significantly increased by reducing the redundancy in the plaintext. In Example 5.1 such a 
reduction has been demonstrated. 


In this chapter we shall describe two general methods to reduce the redundancy. The process of 
removing redundancy from plaintexts is called data compression or source coding. 


6.1 Basic Concepts of Source Coding for Stationary Sources 


Let a plaintext source & output independently chosen symbols from the alphabet {m,, mp, ..., my} 
with respective probabilities p1, p2..., Pn. Symbol m; will be encoded into a binary string ¢; of 
length Jj, 1 si<n. 


The set (€}, C2, .--, €n} 18 called a code C for source &. The idea of data compression is to use such 
a code that the expected value of the length of the encoded plaintext 1s minimal. Since the symbols 
generated by the plaintext source are independent of each other, it suffices to minimize the 
expected length of an encoded symbol 


L= ae Pi Lie (6.1) 


The minimization has to take place over all possible codes C for source &, There is however an 
additional constraint. A receiver (decoder) has to be able to retrieve the individual messages from 
the concatenation of the successive codewords. Not every code has this property. Indeed let 
C = {0, 01, 10}. The sequence 010 can be made in two ways: 0 followed by 10 and 01 followed by 
0. This ambiguity has to be avoided. 


| Definition 6.1 
A code C is called wntquely decodable (shortened to UD.) if every concatenation of 
codewords from C can only in one way be split up into individual codewords. 


Example 6.1 


Letn = 4 and C ={0, O01, O11, 111) (this is the code of Example 5.1 in reversed order). This code C is 
U.D., as we shall now demonstrate. 


Consider a concatenation of codewords. If the left most bit is a I, the left most codeword is I11. If on the 
k 


other hand the left most bit is a 0, the concatenation either looks like 011...1, for some k 20, or it starts 
k 


with the subsequence O11 ...10 for some positive integer k. 
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Depending on whether k = 31, 31 +4, or k = 31 + 2, the left most codeword is 0, O01 resp. O11. One 
can now remove this codeword and apply the same decoding rule to the remaining, shorter concatenation 
of codewords. 


Theorem 6.1 McMullan Inequality [MecMi56] 
A necessary and sufficient condition for the existence of a uniquely decodable code C of 
cardinality m with codewords of length /;, | sis, is 


re] 


>, 


= | (6.2) 


tS | 


Proof: We shall only prove that the inequality above is a necessary condition for the existence of a 
U.D. code with codeword ¢; of length /;, 1 <i <n.That it also is a sufficient condition will be 
proved later in this chapter. 


Let L = ¥_, + and let us assume (without loss of generality) that /) <I <... <1,.Then 


i=l Oi, 
a N l, A 
LY =(Yi sr) Sp RL eo 
where A; is the number of ways to write jas /; +/j,+... +j,.or, alternatively, A jis the number 
of ways to make a concatenation of N codewords of total length /. 


Because C is U.D., no two different choices of N-tuples of codewords will give rise (when 
concatenated) to the same string of length j. So, A; <2’. 


Substitution of this inequality in (6.2) implies that for all N > 1 
IN < DR, b= Nn ~ A) + 1. 


Since the left-hand side grows exponentially in N, while the right hand side is a linear function of 
N, we conclude that LZ < 1. 


L 


As can be seen in Example 6.1, one may have to look for a much longer prefix of the received 
sequence than the length of the longest codeword to be able to decode it. This is not very practical. 


Definition 6.2 
A code C is called a prefix code or instantaneous if no codeword is a prefix of another 
codeword, 


The code in Example 6.1 is not a prefix code, since the codeword 0 is a prefix of the codeword 01. 
The code in Example 5.1 clearly is prefix code. For the decoding of a prefix code one simply looks 
for a prefix of the received sequence that is a codeword. Because the code is a prefix code this 
codeword is unique. Remove it and proceed in the same way. 


Note that when a prefix code is used, one only needs to examine at most /, bits of the received 


Data Compression Techniques 89 


sequence to determine the first codeword in the received sequence. 


The above observation proves the next theorem. 


Lemma 6.2 
A prefix code is uniquely decodable. 


Theorem 6.3 Kraft Inequality (Kraf49| 
A necessary and sufficient condition for the existence of a prefix code with codeword 
lengths f;, ls is A, is 


A 


= | 
ed. a) 
ri 


| 


Proof: A prefix code is U.D. by Lemma 6.2. So, it follows from the McMillan inequality (Thm. 
6.1) that (6.3) is a necessary condition for a code to be a prefix code. 


We shall now prove that (6.3) implies the existence of a prefix code with codewords c¢; of lengths 


[;, 1} <is<n, and a fortiori of a U.D. code with these lengths. 
Without loss of generality J, <1, <... <J,. Because of this ordering and since }%7! —- sr <1 we 


can define vectors cj = (¢,,1, €i2, ---+ Ciy,), | si sn,by the binary expansion of Din) 1/24: 


ml ot Sel (72 Gh 
j=t yf) — 9 + 52 + Pars .+ ay” 





For instance, c, = (0, 0, ..., 0) of length /;, co = (0, ..., 0, 1, 0, ..., 0) of length 4; with a one on 
coordinate /, etc. By definition, c;has length /;. 


It remains to show that no ¢, can be the prefix of a codeword ¢,, wu #v. Suppose the contrary. 
Clearly J, #/,, otherwise the two words would be identical. So, /, <é, and thus u< vy. It also 
follows that 


I = def. c t prefix 
Bil h -Det bk, Stl sae 


? y 
ho fy (es a oo ed 
Deha 4) 9 ee ay < J= =1,+ 7 =e vu ? 
while on the other hand 
tm + - += Va] To ot. 
ay = Del fy jen y) 2 du" 


These two inequalities contradict each other. 


Example 6.2 
Consider tl; = 1, ly = 2, 13 = 3, and lg = 1s = 4. 


I i I 
Since 57 += +> 


ot ot + + a = 1, the Kraft inequality is satisfied. 


90 


The proof above gives the following codewords 


Table, IntegerDigits, and Print); 


1 = {i, ay ci 4, a}; 
L = Length[1l]; c=.; 
e[1] = Table[0, {1[[1]]}]: 






De [opi] a IntegerDigits| | 


{0} 

{1, 0} 

Veg. ay, "Of 
fie Ste lie SOs, 
Vie ay. ly 


Do[Print[c({i]}, {i, 1, L}] 
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(we have used the Mathematica functions Length, Do. 


i=1 


iL 
d 51((4]] 


j=l 


| at), a], (4, 2, B)]s 


This code is a prefix code, as one can easily verify. 


It is quite remarkable that the McMillan and the Kraft conditions ((6.2) and (6.3) are the same. It 
follows that the smallest average value of the length of a U.D. code is equal to the smallest average 


value of the length of a prefix code! 


The next two theorems give bounds on the 
code). 


Theorem 6.4 


average value of the length of a prefix code (or a U.D. 


Consider a plaintext source & that outputs messages m, with probability p,, 1s 1 #. 
Let C be a UD. code which maps message m; into codeword c; of length jj, 1 sis a. 


Then the expected value L = 3°72, pili 


i= Alp). 


of the length of an encoding satisfies 


Proof: It follows from the well-known inequality In x < 1 ~ x, x > 0, and from (6.2) that 


H(p)-L=-Y1, pilogy p. - Dik peli = py DAL pel 


-l)=—5 


I ya pe RS 
In2 =| pil P; OL 


eh ae 


p, 2 ~ 


(( r= sr)7 1) <0. 
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Theorem 6.5 
Consider a plaintext 5 thal outputs messages m, with probability p, 1 = isn. 
| Then a prefix code C exists for this source with an expected word length L, satisfying 


Le A(p) +1. 


Proof: Define /; by J; = [logy 1/ p;], 1 s isn. Then 2" = 1/ p; and thus 
ey 2's ee p= I. 


For these values of /;, | < 1 <n, construct the code C as described in the proof of Theorem 6.3. It is 
a prefix code and the expected value L of its length satisfies 


L= 3%, pili = DL p.-flog, 1/ pi] < Dk, pi-Gog, t/p,+ 1) = H(p) +1. 


Corollary 6.6 
The minimal expected length of all prefix (or U.D.) codes for a plaintext source & with 
probability distribution p has a value L satisfying 


H(p)<L< Alp) +1. 


We shall now apply the above corollary to N-tuples of source symbols. Since the entropy of N 
independent symbols equals N times the entropy of one symbol, one gets an expected length L“) 
for an N-gram that satisfies 


N.H(p) < L™) < N.H(p) +1. 
It follows that 


(N) 
H(p) s 4 <A(p)+ =. (6.4) 


So, limnysoo a = H(p). This confirms the last of the three interpretation of the entropy function 


H, that were given at the beginning of Chapter 5. 


We shall now derive some properties that a prefix code with minimal expected L will satisfy. 
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Theorem 6.7 

Consider the source © which outputs independent symbols m, | sisan, with 
probabilities py = po =... = De. 

Among all U.D. codes for this source, let C be one which minimizes the expected value 
L of the length of an encoding. Let this code C have codewords ¢, of length j;, 1 =i sn. 
Then, after a suitable reindexing of codewords associated with the messages of the same 
probability, 


Pl) jabs... ah. 

PZ) C can be assumed to be a prefix code. 

P3) Fh a= 1. 

Pay) o£, - bk. 

P35) Two of the codewords of length [, differ only in their last coordinate. 


Proof: 


P1) Suppose that p, > p, and 1, > 7,. Make a new code C* from C by interchanging c, and ¢,. 
Then C* is also an U.D. code. The expected length L* of C* satisfies 


L*=L+ Pull, a li) + Ply =; f) =L+ (Pu Py) (ly lu) <L. 
This contradicts our assumption on the minimality of L. 


If py = Py, u<v, one can obtain /,, < /,, by a simple renumbering of the indices. 


P2) Ifa U.D. code exists with expected length L, then a prefix code with the same expected 
length L also exists because the necessary and sufficient conditions in Theorems 6.1 and 6.2. are 
the same. 


P3) lf M2, or <1 one can decrease J, by 1 and still satisfy the Kraft inequality (6.3). By 
Theorem 6.2 a prefix code with smaller expected length would exist. This contradicts our 


assumption on C. 


P4) If 7, > 2,-, then Pl implies that /, 1s strictly greater than any of the other codeword lengths. 
It follows that the left hand side in P3) will be a rational number with denominator 2!» For this 
reason it can not be equal to 1. 


P5) Delete the last coordinate of c, and call the resulting vector c}. Let C” be the code 
{Cis €2, «++ Cn-1, €;}. It follows from P3) that C* does not satisfy the Kraft inequality (6.3). So C* 
is not a prefix code, while C was. This is only possible if cf is a proper prefix of some codeword 
c;, | <i<n-— 1. This means that this ¢, must have length J, too and also that c;and ¢} differ in just 


their last coordinate. 
L 


Property P5 gives a clue how to construct a U.D. code with minimal expected codeword length. 
The method will be described in the next section. 
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6.2 Huffman Codes 


The Huffman algorithm [Huff52] constructs for every stationary plaintext source a prefix code that 
has an average codeword length that is minimal among all U.D. codes for this source. The 
algorithm has a recursive character. 


If the plaintext source has only two possible output symbols, both with a non-zero probability of 
occurring, the best one can do 1s to assign the symbols 0 and | to them. Clearly, L=1< H(p)+1 
in this case. 


Each recursion step consists of two parts: a reduction process and a splitting process. 


The reduction process. 
Let & be a plaintext source which outputs independent symbols m;, 1 <isn, with probabilities 
P| = po 2... 2 Pn. Replace the two symbols m,_; and m, by one new symbol m*_, with 


probability py_,; = Pn-1 + Pn. In this way, anew source &"* is obtained with one output symbol less 
than &. 


The splitting process. 


Let C* = {€1, €2, -.-, En-2, CF_,} be a prefix code of minimal expected length L* for the output 
symbols {m,, m2, ..., M,-2, m*_,} of &* (to find this code in the recursion process, one may want 
to reindex these symbols in order of non-increasing probabilities). 


The code C is given by 


G=¢; forl <i<n-2, 
Cn-} = (45 0), 
Cn = (ch -1, 1) 


In words, when the symbol m?_, is split up in the two symbols m,-_,and m,, the codeword ¢)_, will 
be extended with a 0 resp. | (or the other way around) to distinguish them. 


Example 6.3 


Let n = 6 and let the plaintext source output independent symbols described by the table: 





To keep track of the reduction process, we use the notation (my-; +#m,) for m7_,. After applying 
one reduction and a reordering of the probabilities in non-increasing order we get 





Repeating this process, one gets 
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(ima + (ms + me) ) | me 
er 


Oo 
°|3 
LJ 
a 

3 
ho 


and 
oa esp es 
and finally 


(lM, + (Mg + (M5 +™Me))) | (mm + mM) 


For the splitting process we traverse the above process in opposite direction. We start with the 
code {0,1} and at each splitting ofa message into two messages, we append a zero resp. a one. 


Note, how m; is replaced by ¢; at each step. We get 


(oi + (ce + (C5 4G6))) | (eo +5) 


(Q) (1) 
and 
(C2 + €3) (C4 + (5 + Se) ) 
(1) (9, 0) (a, 2) 
and 
(Ca + (C5 + Ss) ) 
(0, ai (0, 1) (Ly OF | 414k) 
and 





We see that ly =l, =1; =2, lg =3, and ls =lg = 4. One can easily check that ¥9_,1/2" =1 and 
that H(p) < L < H(p). We use the MultiEntropy function defined in Section 5.1 and further the 
Mathematica function Length. 


ee 





Length [p] 
MultiEntropy[p_List] := - » p[[i]] *Leg[2, p[[i]]] 
isl 
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p= (0.3, 0.2, 0.2, 0.1, 06.1, 0.1); | 
MultiEntropy[p] 
l= {2, 2, 2, 3, 4, 4}; len= Length[1]; | 
le 4 


ee 2i(tf)) 


len 
> Ptti)] *1((4]] | 


del | 
2.44644 


True 


KJ 
un 


To demonstrate this Huffman code, we apply it to a text made up by the first 6 letters of the 
alphabet. We first simulate the source with the Mathematica functions Which, Randomand Do 
(note that <>joins two strings). 


SeedRandom(12321)]; randomchar(x _] := 
Which[x< 0.3, "a", x<0.5, "b", x<0.7, "c", 
x<0.8, "d"*, n<0.59, "ea", x<i, =f" 1% 
sourcetext = ""*;n=10; 
Do [sourcetext = 
sourcetext <> randomchar[Random[Real, {0, 1}]], {j, 1, m}]; 
sourcetext 





a 


eedcbheccaec 


To encode we use the Huffman coding determined above and the function StringReplace. 





code = StringReplace([sourcetext, {"a" + "00", "b" + "10", 
roms "11", "d" + "011", "oe" «+ "0100", "£" + *0101"}] 


010001000111110111100010011 


To compare the length of this particular coding with the entropy we use the function MultiEntropy 
defined above and the Mathematica function StringLength. 
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StringLength[code] /n- MultiEntropy([p] 


0.253561] 


In Mathematica, the decoding can be implemented with the function StringReplace, because this 
function works from left to right, as follows. 








| ate StringReplace[code, {"0101" -> "£", 

| "0100" -> "ae", "O11" -> "da", "11" -> "co", "10" -> "b", 
"OO" -> "a"}] 

sourcetext == st 


eedcbheccaec 
True 


In fact, the following figure gives a better way to describe the decoding process. Read the received 
string bitwise from left to right. Depending on the input symbol follow the tree from its root to the 
right: a | lets you go up and a O down. As soon as a leaf (end point) of the tree has been reached, 
write down the corresponding alphabet symbol and start again at the root with the next. For 
instance, the first two symbols in "00010000010000101000010011" are "OO" and lead to symbol 
"a". The next four symbols are "0100" and lead to "e", etc. 


root 





Decoding Tree for Huffman Code 
Figure 6.1 
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Lemma 6.8 

Let © be a plaintext source with independent output symbols m,, | sisn, woth 
probabilities pp =p.e...2p, Let &* be the reduced plaintext source with 
independent output symbols my, | sism=1, with probabilities p* = pj, | sism— 2, 
and py) = Pr-1 * Pr: 

Assume that C™ is a prefix code for source ©" that minimizes the expected value of the 
length of any prefix encoding for &. Let the words in C* be denoted by ¢’, 
lsisn-l. Define code C for & by g=c for Isisna-2, 
Ca-1 = (lcgat dye oe (pap) aps Gh and Gy = Clay ye +s (-1),-)5 DD. 

Then C is a prefix code for source © that minimizes the expected value of the length of 
any prefix encoding for ©. 


Proof: That C is a prefix code is straightforward. Let /;and /?denote the length of e;resp. cj. 
These numbers are related by /; = /*, | <i<n—-—2,and/,_; =4, = @_, + 1. The expected lengths L 
and L* of Cresp. C* are related by: 


L= ee P: lj = arg Pi l; + Pna-l Lny-) s Pn ln = pes Pp; i? + irae pe + 1) a Prllr_, ao 1) = 


ar p; It By (Enel Ba Pn) em a5 (Pn-1 + Pn) = Ee P; {* 7 |: ome oe + (py-y t+ Pu) = L* + (Pn-1 + py). 


From Theorem 6.7 and a reasoning like the above, we know that any prefix code C for source © 
that minimizes the expected value of the length of an encoding for & can be reduced to a code for 
source S* that has an expected encoding length equal to L — (p,-1 + pn). Since L* was minimal for 
S~, we have L—(py_} + Pn) = L* =L—(py-1 + p,), ie. L=L. Since £ was minimal for S, we 
conclude that L = L, i.e. C realizes the minimal expected length for an encoding of §. 


| Theorem 6.9 

| Let & be a plaintext source © with independent output symbols m,, | sisn, with 
| probabilities p) = pp =... = Be. 

Then the Huffman code for this source will have an expected encoding length Z that is 
minimal among all U.D. codes for this source. 





Proof: For » = 2 the statement is obvious because the Huffman code will be equal to {(0), (1)} with 
L = |. The induction argument is a direct consequence of Lemma 6.8. 


6.3 Universal Data Compression - The Lempel-Ziv Algorithms 


If one wants to compress data from a source with unknown statistics, the Huffman algorithm can 
not be applied. For such a situation, one needs so-called universal data compression techniques. 
Examples are the Lempel-Ziv algorithms (there are two of them) and a technique called arithmetic 
coding (see [ZivL77], [ZivL78], resp. [RisL79]). 
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In [ZivL77], the authors introduce a window of a fixed length that slides over the sequence of 
source symbols, say from left to right. The sliding window consists of two parts: a larger part on 
the left, called the search buffer, and a smaller part on the right, called the look-ahead buffer. The 
source symbols in the search buffer have already been encoded. The encoder encodes as many new 
source symbols in the look-ahead buffer as possible by looking in the search buffer for the largest 
match of already encoded symbols. Suppose that the first 7 unencoded source symbols match with 
the 7 symbols in the search buffer that start at position i, but that these j symbols followed by the 
next source symbol, say a, could not be matched. Then the encoder outputs the triple (i, j, a) and 
the sliding window will move j + | characters to the right. 


For example, suppose that the search buffer has length 10 and the look-ahead buffer has length 5. 
Let the sliding window be given by 


EZ: 3. i. 3. 6: Fe 6. Oe EO 4. BS a 


b b clajbfajc|bicjalajelajale|bjale|b a 


search buffer look ahead buffer 


The largest match that can be found, are the first three letters in the look-ahead buffer with the 
three letters starting at position 3 in the search buffer. The encoder will send the triple (2, 3, a), 
where a is the first symbol that could not be matched. The sliding window will move four 
positions to the right. At the beginning, when the search buffer is empty, the first encoding will 
start with (0, 0, x), where x 1s the first symbol of the source. 


We shall now discuss a particular variant of the Lempel-Ziv codes. We follow [Well99], where 
also an analysis of the performance can be found. The basic idea is that both sides (sender and 
receiver) make a dictionary that represents in a smart way substrings that have been transmitted 
before. If the new string of characters that is to be compressed is already in the dictionary, one 
encode this string by the index of the corresponding entry in the dictionary. In general, this index 
will be a lot shorter than the string. If the new string is not in the dictionary, more work has to be 
done. 


The dictionary that sender and receiver are making simultaneously will be (a lot) larger than the 
alphabet A of the source &. However, this dictionary will be stored in a very efficient way by 
means of a so-called linked list. 


The reader has to realize that the use of the Lempel-Ziv algorithm involves some overhead. 
However, for files of moderate length (say, one page of text) it already makes sense to use them. 


a Initialization 


As already remarked before, the dictionary will be stored by means of a linked list. Each entry in 
the list has its own address u. The corresponding entry consists of an ordered pair (vy, a), where v 
should be interpreted as a pointer to another entry in the dictionary (so vis again an address) and 
where a is a letter in the alphabet A. Let A denote the size of A. 


Data Compression Techniques 99 


To initialize the algorithm we start with a dictionary consisting of the following A + | entries: 


address pointer letter 


0 0 D 
1 0 at 
2 0 a2 
A 0 aa 


Note that all these entries point to the list element with address 0. The symbol @is not an element 
of A.It is an additional symbol, serving as a punctuation mark. 


To be ready for the encoding, we set the pointer value v to 0 and the address pointer u to A + | (u 
is the address of the next empty location in the linked list). 


C| Encoding 


Algorithm 6.10 Encoding for Lempel-Ziv 
do begin read the next source symbol a 

if (v, a) is already an entry in the dictionary then give v the value of the address 
of (v, a) 

else begin 


1) transmit ¥, 
2) make a new dictionary entry (v, a) with address wu, 
S)u=H+ | (raise pointer uw by 1), 
4) give ¥ the value of the address of (0, a) 
end 


until = source slope. 


The interpretation of the above is the following. If (v, a) is already an entry in the dictionary then 
the encoder is processing a string of symbols that has occurred at least once before. By assigning to 
v the value of the address of (v, a), one will be able later on to reconstruct this list. 


If (v, a) is not an entry in the dictionary, the encoder is faced with a new string that has not been 
processed before. It will transmit v to let the receiver know the address of the last source symbol in 
the preceding string. Further, the encoder makes a new dictionary entry (v, a) with address u. The 
symbol a will serve as root of a new string. Pointer v is given the value of the address of entry 
(0, a). The 0 in this entry points at dictionary entry (0, @) which indicates the beginning of a new 
string. 


Note that the output symbols of the coding process are dictionary indices, more precisely, 
addresses of the linked list. Their length grows logarithmically in the length of the dictionary. Note 
also, that each new source symbol will increasingly often not give rise to a new output symbol, 
because the current string will already have been encoded before. 
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Example 6.4 (Part 1) 


Consider a binary string {s;}?., that we want to compress. So, A ={0, l}and A =2. 


We initialize the coding process byputting 

















{{0, -1j), (0, 0}, {0, 1)}} 


Note that we have used the negative number -1 instead ofthe null symbol @ 


To demonstrate the coding process, we output for each new source symbol s; the new dictionary 
(represented as linked list), the new values ofu and v and the complete output sequence. 


We use the Mathematica function Position thatfinds the place ofan element in a list. Because 
our list contains lists as elements we add [[1]] twice. Note that we subtract I from the address, 


because our numbering starts with 0 instead of 1. 





Now we are readyfor the coding process. We use the Mathematica functions Do, If, MemberQ, 


Append, andPrint. 
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110% 2 by Ae Ob VOR. wed): total “output: as. -¢} 
140% SL by 405 O}5- 40, Ahh V2) Like <we2). “total output. ie. 42} 
{{0, -1}, {0, O}, {0, 1}, {2, 1}, {2, OF} 


; Wel, total, output: 16 42,24 


{10, -1}, {0, O}, 10, 1}, (2, Pa 


Veil, total output as (2; 1 


(2, O}, {1, O}} 
{10, -1}, {0, O}, {0, 1}, {2, 1), ea)” O}, {1, OF} 


ve5, total output is (2, Peal 


{10, -1}, {0, O}, {0, 1}, {2, 1}, 


v=2, total output is (2, 25. Lee ~ 


{10, -1}, {0, Of, (0, 1}, 12, 1}, 12, OF, {1, Of, (5, 1}} 


yea, ‘total output is 42,2). 1, 5} 


{{0, -1}, {0, O}, {0, 1}, {2, 1}, {2, O}, {1, O}, (5, 1}, (4, 1}} 


V=2); Cota! Output te. 42; 25 Ay. /5 4.4 


{10, -1}, {0, O}, {0, 1}, {2, 1}, 12, Of, {1, Of, {5, 1}, {4, 19] 


Va=a,. total -Oltput as: 42,..2). 1 B.A} 


{{0, -1}, {0, O}, {0, 1}, {2, 1}, {2, 0}, {1, 0}, {5, 1}, 
144. De 3 Ors: Wel. totaloutpubl 28.42; 15; be 453} 

{{0, -1}, {0, O}, {0, 1}, {2, 1}, {2, 0}, {1, O}, {5, 1}, 
(4 Sh Ohi. wee, otal, output is: 12,24. Ty Sy 4. 34 

{{0, -1}, {0, 0}, {0, 1}, {2, 1}, {2, O}, {1, O}, {5, 1}, 


{1, 0 
(471 by, A oyhOl hy. VS6y Otal Cukput- 16-12; 2) Ay. bi. 45. 3} 


O Decoding 


For a proper decoding, the receiver must be able to reconstruct the same dictionary as was made by 
the transmitter. He can only act whenever a new output symbol arrives. Let v be this new symbol. 


By the encoding algorithm (Alg. 6.10) the arrival of v implies that a new element (say the u-th) has 
to be added to the dictionary. The pointer of this new entry is given by v. 


The source symbol for this entry is not known since it is the root symbol of the next string (which 
has not been encoded yet by the transmitter). So, only the pair (v, ?) can be added to the dictionary. 


The receiver is however able to fill in the missing symbol in the previous dictionary entry (at 
address u — 1). 


Further, the receiver can decode the complete source symbol string associated with the received 
symbol. 


We shall demonstrate the above process for the received sequence of Example 6.4. 
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Example 6.4 (Part 2) 


The receiver initializes just as the receiver did. So, u = 3, v =0,and the dictionary is given by 


HO, @}, {0, 0}, {0, I}}. 
He receives the following list ofsymbols: {2, 2, 1, 5, 4, 3}. 
The first received symbol is v = 2. 


So, the new dictionary entry will be {2, ?} and will have address u = 3.The question mark can not 
be filled in yet. 


Pointer 2 in {2, ?} points at the entry with address 2 in the dictionary, which is {0, 1}. This entry 
tells us that the last symbol of the previous string was a I and thatfor the preceding part we need 
to go to the dictionary entry with address 0. This entry is {0, @}, so we are done. 


The new dictionary is given by {{0, @}, {0, 0}, {0, 1}, {2, 2 }). 
The second received symbol is v = 2. 


To fill in the question mark in the current dictionary, we look at the entry in the dictionary with 
address vy =2. This entry is {0, 1}. Its source symbol gives the value of the question mark. 
Therefore, we get the following dictionary{{0, @}, {0, 0}, {0, 1}, {2, 1}}. 


Also, a new dictionary entry has to be added, namely \v, ? }={2,?} at address u = 4. 


Pointer 2 in this new entry {2, ?} points at the entry with address 2 in the dictionary, which is 
{0, 1}. This entry tells us that the last symbol of the previous string was a I and that for the 
preceding part we need to go to the dictionary entry with address 0. This entry is {0, @}, so we are 
done. The decoded string is just "I". 


The new dictionary is given by {{0, @\, {0, 0}, {0, 1}, {2, 1}, (2, 2 }). 
The third received symbol is v = 1. 


To fill in the question mark in the current dictionary, we look at the entry in the dictionary with 
address v = 1. This entry is {0, 0}. Its source symbol gives the value of the question mark. So, we 


get the following dictionary {{0, @}, {0, 0}, {0, 1}, (2, 1}, 2, O}}. 
Also, a new dictionary entry has to be added, namely {v, ? }={1,?} at address u = 5. 


Pointer 2 in this new entry {I, ?} points at the entry with address I in the dictionary, which is 
{0, O}. This entry tells us that the last symbol of the previous string was a 0 and that for the 
preceding part we need to go to the dictionary entry with address 0. This entry is {0, O}, so we are 
done. The decoded string is just "1". 


The new dictionary is given by {{0, @}, {0, 0}, {0, 1}, {2, 1}, {2, 0}, (1, 23}. 
The fourth received symbol is v = 5. 


To fill in the question mark in the current dictionary, we look at the entry in the dictionary with 
address v = 5. This entry is {l, 2}. The pointer I in this entry refers to another entry in the 
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dictionary, namely with address I, so to entry {0, 0}. Pointer 0 in this entry means that we are at 
the root ofa string. The source symbol of entry {0, 0} tells us that ?=0. So, we get the following 
dictionary {{0, @}, {0, 0}, {0, 1}, {2,7}, {2, 0}, {Z, OF}. 


Also, a new dictionary entry has to be added, namely {v, ? }={5,?}at address u =6. 


Pointer 5 in this new entry {5, ?} points at the entry with address 5 in the dictionary, which is 
{1, 0}. This entry tells us that the last symbol of the previous string was a 0 and that for the 
preceding part we need to go to the dictionary entry with address 1. This entry is {0, 0}, so the 
preceding source symbol is 0 and we are pointed to {0, @}. This means that we are done and that 
the decoded string is just "OO". 


The new dictionary is given by {{0, @}, {0, 0}, (0, 7}, (2, 7}, (2, O}, (1, O}, (5, 23}. 


The reader is invited to continue this process. 


6.4 Problems 


Problem 6.1 
Decode the string 01100111111111100011, which has been made with the code in Example 6.1. 


Problem 6.2 

Apply the Huffman algorithm to the plaintext source &that generates the symbols a, b, c, d, e, f, g, and 
h independently with probabilities 1/2, resp. 1/4, 1/8, 1/16 1/32, 1/64, 1/128 and 1/128. 

What is the expected number of bits needed for the encoding of one letter? Compare this with the entropy 
of the source. 


Problem 6.3 “ 
Duplicate Example 6.3 for the plaintext source & that generates the symbols a, b, c, de, f, g, andh 
independently with probabilities 1/3, resp. 1/4, 1/6, 1/12, 1/15, 1/20, 1/30, and 1/60. 


Problem 6.4 
Apply the Welch variant of the Lempel-Ziv encoding procedure to the binary sequence 
OQO00000000000000 


Demonstrate the first 5 steps of the decoding process. 
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7 Public-Key Cryptography 


7.1 The Theoretical Model 


7.1.1. Motivation and Set-up 


In modern day communication systems, conventional cryptosystems turned out to have two 
essential disadvantages. 


1) The problem of key management and distribution. 


A communication system with n users, who all use a conventional cryptosystem to communicate 


with each other, implies the need of (3) keys and (;} secure channels. 


Whenever a user wants to change his keys or a new user wants to participate in the system n — | 
(resp. 1) new keys have to be generated and distributed over as many secure channels. 


ii) The authentication problem. 


In computer controlled communication systems the electronic equivalent of a signature is needed. 
Conventional cryptosystems do no provide this feature in a natural way, especially when there is a 
conflict between sender and receiver, it is impossible to decide who is right. Any message made by 
one of them could also have been made by the other. 


These disadvantages prompted researchers to look for a different kind of cryptosystem. 


In [DifH76], W. Diffie and M.E. Hellman published their pioneering work on public-key 
cryptosystems. See Figure 7.1, where their system is depicted. 


m Pg (m)=c Sp (c}=m 





A public-key cryptosystem for encryption. 


Figure 7.1 
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Every user U of the cryptosystem makes a pair of matching algorithms Py and Sy (or gets them 
from a trustworthy authority). These algorithms operate on elements of later to be defined sets. 


Algorithm Py has to be made public by U, while algorithm Sy has to be kept secret by U. 
Depending on the application, these algorithms must satisfy some of following properties: 


PK1 Pyand Sare efficient algorithms, i.e. they do not need much computing time or 
memory space. 


PK2 Sy(Py(m)) = m, for every user U and for each possible message m. 
PK3: It is infeasible to find an algorithm Sj, from Py that satisfies $7,(Py(m)) = m for all m. 
PK4 Py(Sy(m)) = m,for every user U and for each possible message m. 
PKS: It is infeasible to find an algorithmS;, fromPy that satisfies P},(Sy(m)) = m for all m. 


Properties PK3 and PKS are not precisely formulated. Their precise meaning depends too much on 
the application and may vary in time. 


7.1.2 Confidentiality 
We assume that properties PK1, PK2, and PK3 hold. 


If Alice wants to send an encrypted message m to Bob, she first looks up the public (encryption) 
algorithm Pg of Bob. She encrypts m by applying algorithm Pg to m. So, she sends to Bob: 


c = Pa(m). 
Bob recovers m from the received ciphertext c by applying his (secret) algorithm Sgto c. Indeed, 
Sa(c) = Sp(Pa(m)) "= m. 


To make the system practical to use, property PK1 must hold. It is for the security of the system 
that property PK3 has to be required. 


PK3 makes it possible to publish the (encryption) algorithms Py without endangering the privacy 
of the transmitted messages. 


We summarize the encryption scheme in the following table. 


Public Py of all users U 
Secret Sy toallusers, except U 
Properties PK1, PK2, PK3 
Encryption of mby Ann Pz, (m) =c 
Decryptionof chy Bob Sg (c) =m 


A public-key cryptosystem used for privacy. 
Table 7.1 
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Ifa user U wants to change his personal key, he simply generates a new set of matching algorithms 
Py and Sy satisfying PKI, PK2 and PK3 and makes Py public. The same has to be done when a 
new user wants to participate in the communication system. 


In [DifH76], the authors suggest to use trapdoor, one-way function for the encryption. A one-way 
function is a functionf : A > B with the following properties: 


Fl) f(a) is easy to evaluate for any a€ A, 
F2) it is computationally infeasible to compute f* (4) for almost all b € B. 


A trapdoor, one-way function is a one-way function f satisfying the further property that 
F3)  f*(b), b € B, 1s easy to compute given certain additional information. 


Property Fl makes such a function practical to use, while property F2 makes f safe to use for 
encryption purposes. Property F3 makes decryption by the receiver possible. 


In daily life a telephone book can be used as a one-way function; given a name one can easily find 
the corresponding telephone number but not the other way around. Looking up a telephone number 

of a person amounts to finding the name of that person. This takes log, L operations, if L is the 
number of names in the telephone guide. Finding the name if the telephone number 1s given means 

going through the whole book, name after name. The complexity is L. Property F2 is based on the 
exponential relation between log, L and L. 


One-way functions f are also used to check the authenticity of a person that wants to get access to 
something. Each user U has his own PIN code xz, but in a central computer only the name of U is 
stored together with the value yy = f(xy). 


When U wants to get access he needs to give his name and xy. The value f(xy) will be evaluated 
and sent to the computer. If this values matches yy, user U can get access, otherwise not. The 
advantage of this system is that the PIN codes xy do not need to be stored in the computer. So, 
anybody who can read out the memory of the computer can still not determine the PIN codes. 


In Chapters 8, 9, and 12 we shall discuss various proposals for trapdoor one-way functions that can 
be used to turn into a public-key cryptosystem. In the next chapter we shall meet a one-way 
function, which does not have a trapdoor. 


7.1.3 Digital Signature 
We assume that properties PK1, PK4, and PKS hold. 


If Alice wants to sign a message m that she wants to send to Bob, she applies her own (secret) 
algorithm $4 to m, so she sends 


C= Sam). 


Bob recovers m from c by applying the publicly known algorithm P, to c. Indeed, 
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Pa(c) = Pa(Sa(m)) *= m. 


The value c can be used by Bob as signature for m, because, by PK5, Alice is the only person who 
can compute c from m, i.e. only she can make ac from a given message m such that Pa(c) = m. 


The converse however 1s possible: everybody is able to find a pair (m, c) such that c carries m's 
signature, i.e. such that P4(c) = m: simply take any c and compute m = Pa(c). 


So, Alice has to make sure that a randomly selected c has a negligible probability of leading to a 
useful message Pa(c) =m. This can quite easily be achieved by assuming some structure in each 
message m, e.g. start with the time and date. 


We summarize this signature system explained above in the following table. 


Public Py of all users U 
Secret Sy toallusers, except U 
Properties PK1, PK4, PK5 
Signing of mby Ann Sa (m) =c¢ 
Verification o£ cby Bob Pa (c) =m 


A public-key cryptosystem used 
for signing a message. 


Table 7.2 


Note that anybody else can also verify Alice's signature bycomputing Pa(c),so there 1s no secrecy. 


7.1.4 Confidentiality and Digital Signature 
We assume that properties PKI, PK2, PK3, PK4, and PKS hold. 


If Alice wants to send message m in encrypted form with her own signature to Bob, she combines 
the techniques of Subsections 7.1.2 and 7.1.3. Thus, she uses her own secret algorithm $4 and the 
public algorithm Pg of Bob to send 

c= Pa(Sa(m). 


Bob recovers m from c by applying P, Sg to c. Indeed, 


P4(Sp(c)) = Pa(Sp(Pp(Sa(m)))) = Pa(Sa(m)) “=m. 


Although everybody can look up the public Pg, it is only Bob who can recover m from c, because 
only Bob knows Sz. 


Bob keeps the pair Sg(c), which is Sg(Pg(S,(m))), 1.e. S4(m), as Alice's signature on m, just like in 
Subsection 7.1.3. 


We summarize this in the following table. 
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Public Py of all users U 
Secret Sy toallusers, except U 


Properties PK1, PK2, PK3, PK4, PK5 


Ann sends Pz (Sq, (m)) =c¢ 
Bob computes Pa (Sg (c)) =m 
Bob saves Sp (c) = Sa (m) 


A public-key cryptosystem used 
for encryption and signing. 


Table 7.3 


7.2 Problems 


Problem 7.1 

In a communication network every user U has its own public encryption algorithm Py and secret 
decryption algorithm Sy. A message m from user A (for Alice) to user B (for Bob) will always be sent in 
the format (c, A), with c = Pp(m). 

The name of the sender in this message tells Bob from whom the message originates. 

Bob will retrieve m from (c, A), by computing Sp(c) = Sa(Pa(m)) =m (see PK2), but Bob will also 
automatically send (P4(m), B) back to Alice (note that (P4(m), B) has the same format as (Pa(m), A)).In 
this way, Alice knows that her message has been properly received by Bob. 


a) Show how a third user E (for Eve) of the network can retrieve message m that was sent by Alice to Bob. 
You may assume that Eve can intercept all messages that are communicated over the network, and that C 
can also transmit her own texts, as long as they have the right format. 


b) Show that communication over this network is still not safe if the protocol is such that Alice sends 
P3((Pa(m), A)) to Bob and that Bob automatically sends Pa((P4(m), B)) back to Alice. 
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8 Discrete Logarithm Based Systems 


8.1 The Discrete Logarithm System 


8.1.1 The Discrete Logarithm Problem 


In [DifH76], Diffie and Hellman propose a public-key distribution system which is based on the 
apparent difficulty of computing logarithms over the finite field GF(p), p prime, which is also 
often denoted by F, or Z,. The reader, who is not familiar with the theory of finite fields is 
referred to Appendix B. 


Let a be a primitive element (or generator) of GF(p). So, each nonzero element c in GF(p) can be 


written as 
C=a" (8.1) 


where m is unique modulo p — 1. 


Example 8.1 
In GF(7) the element a = 3 is a primitive element, as can be checked from 3° =2(mod 7), 33 =6 (mod 7), 
34 = 4(mod 7), 3° = 5(mod 7), and 3° = 1 (mod 7). 


This can be done at once with 


| Mod[3“{1, 2, 3, 4, 5, 6}, 7] 


Example 8.2 


In GF(197), the element @ = 2 is primitive. Such an element can be found with the Mathematica function 
PowerList (for which the package Algebra' FiniteFields first has to be initialized). This function 
finds a primitive element in Fy and generates all its powers (starting with the 0-th). The second element in 


this list is the primitive element itself. 


<< Algebra FiniteFields 


112 


| p= 197; 
PowerList(GF[p, 1]][[2]] 


BJ 
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To check that 2 is a primitive element modulo 197 is a lot easier. The multiplicative group £757 


has order 196, so each element has an order dividing 196 (see Theorem B.5). 


With the function FactorInteger one canfind the different prime factors of 196. 


Factorinteger [196] 


It now follows from 


PowerMod([2Z, 1196/7, 197] == 1 
PowerMod[2, 196/24, 197] == 1 


Falge 


an 


False 


that the order of 2 modulo 197 does not divide 196/2 or 196/7, so the order must be 196. 


If m is given, c can be computed from (8.1) with J. flog, p] multiplications (see [Knut81], pp. 


441-466). One can realize this by creating the table a, a 


2 
,a o> 200 


3 [log> p}-1 . 
2, ..,07 """ (each is the 


square of the previous one) and multiplying elements from this table, whose exponents add up to 


m. To this end the binary representation of m can be used. 


Example8.3 


Take m=I171. Its binary expansion is 10101011, 


IntegerDigits. 
IntegerDigits[171, 2] 
Fes ete ig yoda Co 


So, now one has a?”! = a!*8_a?, a .a*.a. 


as follows from the Mathematica function 


This calculation can also be done on the fly. The leftmost 1 in the binary representation of m 
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stands for @ Each subsequent symbol (from the left) in the binary representation implies a 
squaring of the previous result, but if this symbol is a I also an additional multiplication by @ has 
to be performed. 


Clear([a]; 
z 


{((((cr=»*8)°)" a) } ] : 


a a SS er = = = = 


If one has to perform the same modular exponentiation many times, for instance on a smart card 
implementation, there are ways to do this with fewer multiplications. 


Definition &.1 

An addition chain for an integer om is a sequence of integers 
| a,j =I( <a) <... <a) <a; =m, with the property that each a, 224 = /, is the sum 
of two (not necessarily different) preceding a;'s. 
| The index / is called the leneth of the chain. 





The way that addition chains are used for (modular) exponentiation, is clear. If a, = a; + a;,then 
ak = a”'.a"1, Hence, a” = a” can now be computed recursively. 


It is, in general, not obvious how the shortest addition chain of an integer m can be found. See 
[Knut81], Section 4.6.3 and [Bos92], Chapter 4. 

Example 8.4 

An addition chain for m = 15 is the sequence 1,2,3,6,12,15. 


Note that the calculation of a! involves 5 multiplications with this addition chain and 6 multiplications 
with the binary method explained before. 


In Mathematica the PowerMod function 1s a fast way to compute modular exponentiations. 


Q@= 27 m= 171111111; p = 197888886; 
PowerMod/[a, m, Pp] 


55895160 
The opposite problem of finding m satisfying (8.1) from c, is not so easy. It is called the discrete 


logarithm problem, because in Z, the exponent m can be written like m = log, c. 


In [Knut73], pp.9, 575-576, one can find an algorithm that solves the logarithm problem. It 
involves roughly c, Vp operations and c ¥ p bits of memory space (where c; and cz are some 
constants). In Theorem 8.1 a more precise analysis of this algorithm will be given. Writing 


114 FUNDAMENTALS OF CRYPTOLOGY 


t = log, p (and forgetting about the constants), one gets the following exponential relation between 
exponentiation and taking logarithms. 


exponentiation t 
taking logarithms 2*’? 


The computational discrepancy between 
exponentiation and taking logarithms 


Table 8.1 


8.1.2 The Diffie-Hellman Key Exchange System 


We shall now describe how the discrepancy in computing time between exponentiation and taking 
logarithms, as depicted in Table 8.1, can be used to execute a key exchange protocol of a "public- 
key cryptography'"-type. Such a protocol is a method for two parties who do not share a common 
secret key to agree on a common key in a secure manner. 


Setting up the system: 


1) All participants share as system parameters a prime number p and a primitive element 
(generator) @ in GF (p). 


2) Each participant P chooses an integer mp, 1 < mp, < p—2,at random, computes cp = a”? and 
puts cp in the public key book. Participant P keeps mp secret. 
Using the system: 


Let us now assume that Alice (A for short) and Bob (B) want to communicate with each other 
using a conventional cryptosystem, but that they have no secure channel to exchange a key. With 
the public key book, they can agree on the common secret key 


kas = @"A™s 
Alice can compute k,g,g by raising the publicly known cg of Bob to the power ma, which only she 
knows herself. Indeed, 

(ca)"4 = (a°"BY™A = QMAMB = ky p. 
Similarly, Bob finds kg g by computing (c4)”8. 
If somebody else (Eve) is able to compute m, from cg (or mg from cg), she can compute the key 
ka.p just like Alice or Bob did. By taking p sufficiently large, the computation time of solving this 


logarithm problem will be prohibitively large. Diffie and Hellman suggest to take p about 100 bits 
long. A different way offinding k4 2 from cg and cg does not seem to exist. 


There is no obvious reason to restrict the size of the finite field to a prime number. So, from now 
on the size of the field can be any prime power g = p® (see Theorem B. 16 or Theorem B.20). 
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In [Lune87], Chapter XIII, efficient algorithms to find primitive elements in finite fields are 
described. See also Problem B.6 and Problem B. 10. 


We summarize the key distribution system in Table 8.2. 


system fieldsizeqd 
parameters primitive element a 
secret key of P Mp 
public key of P Cp =a 
common key of Aand B ka.p = @™a™s 
Ann computes (Cp) ™A 
Bob computes (c,)™2 


The Diffie-Hellman Key Exchange System 
Table 8.2 


Example 8.5 (Part 1) 
Let p= 197 and @ = 2. 
Alice chooses as a random secret exponent ma = 56and Bob as a random secret exponent mg = 111.They 


compute their public key with the PowerMod function. 


cA = PowerMod[2, 56, 197] 
eB = PowerMod/[2, 111, 197] 


Alice can compute the common key with Bob by raising the publicly known cg to the power ma, 
which she only knows. She gets: 


| PowerMod[82, 56, 197] 
114 


Bob gets the same common key by raising ca to the power mpg. Indeed, he gets: 


7 | 
| PowerMod(178, 111, 197] 


I 
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8.2 Other Discrete Logarithm Based Systems 


8.2.1. ElGamal's Public-Key Cryptosystems 


In [ElGa&8], two public-key systems are described that are based on the discrete logarithm 
problem. One can be used for encryption purposes, the other as a signature scheme. 


In both systems the transmitted text is longer than the plaintext. 


O Setting It Up 


As system parameters, all participants share a prime number p and a generator (primitive element) 
@ of the multiplicative group 27. The generalization to finite fields is straightforward and will be 


omitted. 


A variation that one sees quite often is to consider Z) with q prime and an element a € Z) of large 
prime order, say p, instead of taking a primitive element. Note that by Theorem B.5, p must divide 


g-l. 


Each participant P chooses an integer mp, 1 sm, < p-— 1, at random, computes cp = a”? (mod p) 
and makes cp public. Participant P keeps mp secret. 


As a variation, each participant can also choose his own finite field and primitive element a, 
instead of having them as system parameters, but there seems to be little reason to do so. 


Oo ElGamal's Secrecy System 


Encryption of a message for Bob. 


Suppose that Alice wants to send a private message u to Bob. The message is represented by an 
integer uv in {0, 1, ..., p— 1}. 


Alice selects a random integer r and computes R = a’. 
Next, Alice computes § = u.cg’. 


Alice sends to Bob, the pair (R, S). 


Decryption by Bob. 
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Bob receives the pair (R, S) and can quite easily retrieve the message u with his own secret mp 
with the following calculation: 


S/R™8 = u.ca’/a'™8 = u.a’™"8 fa" "8 = y. 
Example 8.5 (Part 2) 
We continue with Example 8.5. We have p = 197, a =2 and cg = 82 as public parameters. 


The number mg = [11 is only known to Bob. 


Suppose that Alice wants to encrypt message u=123 for Bob. 
Let r = 191 be the random integer chosen by Alice (it is coprime with p — J). 


Alice sends the pair (R, S) computed by 


= 197; a = 2; cB = 62; 

= Random[Integer, {0, p-2}] 

= la3y 

= PowerMod[a, r, 197] 

8 = Mod [PowerMod([cB, r, 197] «u, p] 


a £& AR © 
I 


191 


75 


To decrypt, Bob computes S{R"® modp with his own secret mg =111 by means of the 
Mathematica functions Mod and PowerMod. Note that PowerMod|[a, —I, p| computes the 
multiplicative inverse ofa modulo p (see Subsection A.3.3). 

| mB = 111; 
| Mod [3 « PowerMod [PowerMod([R, mB, p], -1, p], P] 


las 


An eavesdropper can not determine r from R, since we assume that taking logarithms 1s 
intractable. For that reason, this eavesdropper is not able to divide out (cg)’ from S (to obtain the 
secret U/). 
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o ElGamal's Signature Scheme 


Signing of a message by Alice. 


Suppose that Alice wants to send a signed message u to Bob. The message is again represented by 
an integer u in (0, 1, ..., p- 21. 


Alice selects a random integer r that is relatively prime to p — 1 and computes R = a’. 
Next, Alice uses her secret exponent m, to compute 5 satisfying 

u=m,R+rS (mod p-— 1). (8.2) 
Alice can use the extended version of Euclid's Algorithm to find S efficiently. 


Alice sends to Bob the triple (u, R, S), where the pair (R, S) serves as signature on the message u. 


Verification of the signature by Bob. 


Bob receives the signature (R, S) together with the message u. 
Bob checks this signature by verifying that 
a" = (c,)® R* (mod p). 
This relation has to hold because by (8.2) 
a" = aR aS = (a™a)R (aS = (c4)®.RS (mod p). 
Example 8.5 (Part 3) 
Continuing with Example 8.5, where we have p = 197, a@ =2 and ca =178 as public parameters. 
The number ma = 56 is only known to Alice. 
Suppose that Alice wants to sign message u=123 for Bob. 
Let r = 97 be the random integer chosen by Alice (it is coprime with p —1). 


Alice computes 


| p=197); a = 2; mA = 56; 

| r= 977 ua 123; S=.; 

| R = PowerMod[a, r, 197] 

| §/. Solve[{r 8 ==u-mA «R, Modulus == p-1}, 8) [[1]] 
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tofind the signature (R, S) = (98, 171) that she adds to her message u. 
Bob checks this signature by verifying a” =(c4)* RS (med p): 


CA = 178; R= SSB; S = 171; 
PowerMod[a, u, Pp] == 
Mod | PowerMod|[cA, RK, p] * PowerMod([R, &, pl], Pp] 


True 


8.2.2 Further Variations 


In the ElGamal scheme, the signature on a message u consists of two parts: R, being @” with r 
random, and S, being a solution of u =m, R+r.S (mod p — 1) (see (8.2)). Of course one can vary 
this so-called signature equation. 


The next three variations do exactly this. The reader that wants to know more about them than is 
presented below 1s referred to [MeOoV96] and [Schne96]. 


O Digital Signature Standard 
In the Digital Signature Standard (see [FIPS94]) the signature equation is given by: 
rS=u+ma,.R (mod p-1). 


The system is designed by the National Security Agency (NSA) and adopted as standard by the 
National Institute of Standards and Technology (NIST). 


DSS adds two sequences of 160 bits each to the end of a document as guarantee of its authenticity 

and integrity. To this end, it first compresses the document to a sequence of 160 bits by means of a 

cryptographically secure hash function (see Section 13.2), called the Secure Hash Algorithm (see 
[MeOoV96], $9.53 and [Schne96]). 


To set up the system the following joint parameters are chosen: 


1) A prime number g whose binary representation has a word length that is divisible by 
64 and lies between 512 and 1024. 


11) A prime factor p of g — 1 that is 160 bits long. 


iii) Avalue g = (h%-)/P mod q), where h is less than g — 1, such that g is greater than 1. 
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Since g? = 9! = 1 (mod q) by Format's Theorem (A. 15), it follows that the multiplicative order of 
g divides p. On the other p is prime, therefore, g has multiplicative order p itself (see also 
Theorem B.5). 


Each user U chooses a secret exponent my, computes cy = g”¥ (mod q) and makes cy public. 


When Alice wants to sign a file M, she first computes its 160 digits long hash value h(M) with the 
Secure Hash Algorithm. 


Next, she chooses a random number r < p and adds as signature to M the numbers R and S, both 
of length 160, defined by: 


R = ((g’ mod qg) mod p), 
S.r = (h(M) + mag R (mod p). 


A receiver can check the authenticity and integrity of the received message M by evaluating: 


w = S| (mod p), 
x = h(M).w (mod p), 
y = R.w(mod p), 


U = ((g*.(ca)” mod g) mod p). 


If R=U the document will be accepted as genuine and coming from Alice. By a simple 
substitution one can verify that the relation uw = U indeed should hold. 


The function of the random number r above is to hide the secret key of Alice. 


Oo Schnorr's Signature Scheme 
In Schnorr's signature scheme [Schno90] the signature equation (see (8.2) 1s given by: 


S =m,R+r (mod p-1). 


O The Nyberg-Rueppel Signature Scheme 


The Nyberg-Rueppel signature scheme [NybR93] 1s slightly different from the others. Here, R 1s 
defined by 


R = u.a’ with r random. 

The signature equation (see (8.2) is given by: 
S =m,R-r (mod p- 1). 

In the Nyberg-Rueppel scheme, the message « can be retrieved directly from R and S , since 
u = Ra" = RaS-"A® = Rad /(a4)* = R.a /c4® (mod p). 


If uw is not the hash value of a much longer other file, this feature is an advantage, because only R 
and S$ have to be sent. 
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8.3 How to Take Discrete Logarithms 


When one has to take a logarithm in GF(q), the most obvious way to reduce the workload is to 
factor g-1 in prime power factors, compute the logarithm for each of these factors, and then 
combine the results with the Chinese Remainder Theorem (Thm. A.19). In Subsection 8.3.1, this 
method will be demonstrated for a particular technique. 


As we have said before, discrete logarithm based systems are often set up in a multiplicative 
subgroup of GF(q). This generalization does not affect the methods that will be discussed in this 
section. 


8.3.1. The Pohlig-Hellman Algorithm 


In [PohH78], Pohlig and Hellman demonstrate that discrete logarithms can be taken much faster 
than in Vq operations, if g-1 has only small prime divisors. We shall first demonstrate this 
method for two special cases. 


O Special Case: g - 1 = 2” 


Examples of prime numbers that are a power of 2 plus one are given by g=17, g = 257, and 
gar I. 


4 = 16; PrimegQ[2" +1] 


True 


So, let a be a primitive element in a finite field GF (q). The problem is to find m,O<m<@q-2, 
satisfying (8.1) for given value of c. 


Let mo, m;, ..., M,-1 be the binary representation of the unknown m, 1.e. 
m=mo+m,2+...+m,-) 277', m, € {0,1}, O<isn-1l. 


Of course, it suffices to compute the unknown m;'s. Since a@ is a primitive element of GF(qg) we 
know (see also Theorem B.21) that a4-! = 1 anda’ # 1 forO<i<q-l. 


It also follows that @9-/* = -1, because the square of a&4-? is 1,while a f-? # 1. (We also 
use here that by Theorem B.15 the quadratic equation x* = 1 has +1 as only roots.) Hence 
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cl-V2 = (q@myG-DI2 = gm(q- D2 = alot) 2+...+my—| 2"-l) g-1)/2 


POM. mg(q-1)/2 = = ia 


-1, if mg = 1. 


Therefore, the evaluation of c4-"? in GF(g), which takes at most 2. [log, g] multiplications, as we 
have seen in Subsection 8.1.1), yields mp. 


Compute c; = c.a~™. Now m, can be determined in the same way as above from 


cg“ = olny 2m 27+ ..tmy_5 2"! \(g- 1/4 


1, if m, = 0, 


= gyM(9-1/2 = | 
—l, if my = l. 


Compute cz = c}.a7?”! = c.a~"0+" 2D and determine m from (c2)9-)/8. Repeat this process until 
also m,_,(and thus m) has been determined. 


The above algorithm finds m from c in at most 
n.(2. flog, q] + 2) = 2. (log, q)* » 2n’, 


operations, where the term +2 comes from the evaluation of the c;'s(in the 1-th step a-""has to be 
squared and the outcome may or may not have to be multiplied to ¢,_)). 


Comparing with Table 8.1, we observe that in the current case (1.e. g = 2" +1), the discrepancy 
between the computational complexity of using the Diffie-Hellman scheme (one exponentiation 
involving 2n multiplications) and breaking it (| ~ 2n?multiplications) is quadratic, which is not 
significant enough to make the system secure. 


Remark: 


Note that when g-1=5.2', s odd, the ¢f least significant bits of m can be found in exactly the 
same way. 


Example 8.6 
Consider the equation 3" = 7 mod 17. So, q = 17, a = 3, andc =7. Note that aw! =6. 


Writing m = mo + 2m; +4 mz +8m3, we find mo by evaluating c4~!!* mod q. 
PowerMod[7, 8, 17] 


Lé 


Since this is —1 we know thatmg = 1. Computec; =c/{3 =6.c =8mod 17. Thenm, can be found 
frome;9-)4 mod q 


PowerMod[&, 4, 17] 
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16 


Again this is -1, som, = 1. Compute cz = ¢;[3* =6°.c; = 16 mod 17. Then mp can be foundfrom 
co9-)8 mod q 


|, Sem 7... Taam eG Co Ho “ieh a 1 To Sate > Loe oe CL PSS es Pe a. CFLS) oo 


| PowerMod[16, 2, 17] 


a  — 


q—-1){16 


Since the outcome is 1, we have mz = 0.So, ¢3 =c2and m3can be found from c;3! mod q 


[ 
| 
| PowerMod[16, 1, 17] 
| 


se a 


16 
We now also have m3 = 1 and thus m = 1.2° +1.2! 40,2 +1.2? = 11. We can check this with: 


PowerMod([3, 11, 17] 


oO General Case: g — 1 has only small prime factors 


Let g—- 1 =i, pi", where the p;'s are different primes and the exponents n, are strictly positive 
(see the Fundamental Theorem in Number Theory, Thm. A.6). We assume that all p;’s are small. 
Later we shall say precisely what we mean by that. 


Instead of solving m from (8.1) directly, we shall determine 
m® = m(mod p;"), 1 <isk. (8.3) 


With the Chinese Remainder Theorem (Thm. A. 19) one can compute m efficiently from these 
m's, 


To determine m (the others m's can be found in the same way) we write it in its p,-ary 
representation. For the sake of convenience we drop all the sub- and superscripts referring to the 
i= 1 case. 


mM) =mg+m, pt...+m-) p"™', m €{0,1,...,p-1), Oslsn-1. 


Similarly to the Special Case (kK=1, p=2), we will find the coefficients m; by single 
exponentiations. 


Coefficient mg can be found by evaluating c4%-!/P, From Theorem B.21 it follows that 
(c'4-/P)? = 1, which implies that c4-!/? is a p-th root of unity. 
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2 ] 


Define the primitive p-th root of unity wby w = a@%-)/P and make a table of 1, w, w*, ..., w?!. 


Then, because m = m") mod p" and m‘) = mo mod p, we have 
c4- Dip = (a )4-DiP = amg-Dip = gt @-)/p = g'0(4-D/p = gyno. 
So, a simple table lookup of c4~!”? will yield mo. 


To determine mj, we first compute c, = c.a~ and then evaluate c,9-!/?", etc., until m) has been 
determined. Similar calculations have to be made to determine the other m's, 


For this algorithm, we have to make tables of the powers of the primitive p-th roots of unity for all 
the prime factors of gq ~- 1. 


The values of these factors have to be small enough to be able to store them. 


k 


Each time that we want to take a logarithm the algorithm will have to take })*_, n; exponentiations, 


therefore, the algorithm involves 
XE, 2. flog, g].n, » 2. log, g.(XE, nj) s 2 (log, g) 


operations, if we forget about the lower order terms. Again we have a quadratic relation between 
using the Diffie-Hellman key-exchange system and breaking it. 


oO An Example of the Pohlig-Hellman Algorithm 


Example 8.7 
Consider Equation (8.1) with q = 8101, primitive element a=6. 
Note that g is a prime number, so GF(q) = 8/0). 


Preliminary Calculations. 


First of all we factor q-1 and compute the multiplicative inverse of 6 modulo 8101 with the 
Mathematica functions Factor Integer and PowerMod. 


q= 8101; a = 6; 
FactorInteger[q-1] 
x = PowerMod/(a, -1, q] 


cn 
Qn 


So, q—-1 =2? .34.5* and a = 675]. 


Next we use the PowerMod function again to calculate the primitive 2-nd, 3-rd and 5-th roots of 


(8/0/-1)/2 _ 64050 lb = 6 (8/01 2 62883 (8107 -1)/5 6/620. 


unity: @ =6 , and a3 =6 
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8100 : 
5883 
3547 
So, aw = 8100, a = 5883, and w3; = 3547. With the Table function we make the following three 


tables: 


Tae 0 1c eh ar co yt * 1 
i; . Le oe? ee ae ah ee Lt ea at Sak 
ta Se Te a ae oPy ms Ee i Se F 
& . 7 "2 ; i= ps 


. ie st 
7 ae z siei 
. ae - 
‘ - 





{1, 8100} 
{1, 5883, 2217} 
{1, 3547, 356, 7077, S221} 


Hence, we have tables 
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The preliminary work for the Chinese Remainder Theorem consists of solving the following three 
systems of linear congruence relations: 


ice 1 (mod 4) 

u=0O (mod 81) 
oe 0 (mod25) 
nee QO (mod 4) 
< vzel (mod81) 
(v=0 (mod25) 
ipa O (mod 4) 

w=0Q (mod 81) 
lane (mod 25) 


These three systems can be _ solved with the Mathematica function 


Chinese Remainder Theorem for which we _ first have to load the package 
Number Theory  'NumberTheoryFunctions' 





| <<NumberTheory NumberTheoryFunctions | 








| u = ChineseRemainderTheorem[{1, 0, 0}, {4, 81, 25}] 
| v = ChineseRemainderTheorem[({0, 1, 6}, {4, 81, 25}] 


| w= ChineseRemainderTheorem[{0, 0, 1}, {4, 81, 25}] 


a 





6400 
TTTG 


So, 4 = 2025 (mod 8100), vy = 6400 (mod 8100), w = 7776 (mod 8100). 
This concludes the preliminary work. 


Solving Equation (8.1) for: c = 7531, q = 8101. 


We first determine m® =mmod p;", 1 < is 3, as defined in (8.2), with the method explained 
above. Ofcourse, the tables that we just made have to be consulted at each step. 


First prime factor. Pp; =2, nm = 2. 
c= =7531, of@201-1)/2 = 8100, m =1, 
cr= c.a} = 8006, 1 !8202-10/27 4 | m=O. 


Hence m = 1 +0.2! =1. 


Second prime factor. P2 = 3, m2 = 4. 
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c= S755 sere” S921 7%. “mg e2, 
C= c.a? = 6735, co, (8191-1)/37 tom = 0, 
C= Cy - 6735, co (8101-1)/37 = 2217, m =2, 
C3 = cp.a2-3* 5 6992, cy (8201-1)/34 = 5883, m =1. 


Hence m™ = 2 +0.3! +2.3% +1.33 = 47. 


Third prime factor: py =5,n4 = 2. 
C= = 7531, of8t0l-1)/s =~ 5221, m-=4, 
c1- c.a4 7613, co, (8201-1)/5* 356 , m =2. 


Hence m® = 4 +2.5' = 14. 


The final solution m is given by: 


A en no 


| Mod (2025«1 + 6400447 + 7776414, 8100] | 


6689 
This can easily be checked. 


PowerMod[6, 6689, 8101] 


Woal 


In Mathematica, the precalculation of a, b, and c is not really necessary, because m can be 
computed directly from m™, m®, and m® with the Chinese Remainder Theorem function: 


ChineseRemainderTheorem({1, 47, 14}, {4, 81, 25}] 
6689 


If q-—1 has large prime factors, the dominant term in the workload of the Pohlig-Hellman 
algorithm will be the >*, p; exponentiations necessary for the generation of the tables 
{1, wj, ..., wi}, 1 <i<k, and the number yar n; Of exponentiations, necessary to determine 
the m's, 


In the next subsection, we shall explain a method to take logarithms if one (or more) of the prime 
power factors of g — 1 1s too large to store the tables in the Pohlig-Hellman method. 
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8.3.2 The Baby-Step Giant-Step Method 


If one (or more) of the prime power factors of g— 1 is too large for the Pohlig-Hellman method, 
the method below can be used. It gives the user full freedom to balance the length of the table that 
he wants to store and the remaining workfactor. 


We start with an example. 


Example 8.8 
Consider the equation 29" = 30 (mod 97) and assume that we can only store a table with 10field elements. 


We make a table of 29 mod 97 for i =0, 1, ...,9 and we compute 297! mod 97 with the Mathematica 
functions Table, PowerMod, GridBox, and Transpose. 





| gw=2 S73 a= 293 
powers = Table[{PowerMod[29, i, q], i}, {i, 0, 3}]3 
GridBox |(Transpose(|powers], 

RowLines =-> True, ColumnLines -> True] // DisplayForm 
x = PowerMod/[a, -1, q] 


a 


sae ee 


1/29 1/65/42 /5a/14 ty 
olid2iata ts 6 : 





a 
nad 


We alsofind that 29~' = 87 (mod 97). 


Writing m=10j+i0sis9, we see that 29" =30 (mod97) can be rewritten as 
29! = 30.29-!9J (mod 97) or as 29' = 30.87!" J (mod 97). Since 87!° = 49 (mod 97), we have the 
equivalent problem ofsolving 2% = 30.49) (mod 97), 0 si < 9. 


We do this by trying j =0, 1, ... and each time checking if 30.49! mod 97 occurs in the list of 
powers {1, 29, 29, ..., 29°} (mod 97). Note that m < 97,so j s\|97/10| =9. 


To facilitate the table lookup, we sort the elements in the table of powers with the function Sort . 


| sortedpowers = Sort [powers] ; | 
| GridBox |(Transpose[sortedpowers], | 
| RowLines -> True, ColumnLines -> True] // DisplayForm 


= = =e ee ee 


L}6)}]14)18)29 | 37 | 42) 54 
oielstetlitc 


& | 77 
65 i F 


—— ep 


= 6 ] } 3 | 2 9 
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Next, we try 30.49/ mod 97 until we see the answer appear in the table above. We use the 


Mathematica functions, While, MemberO, and Mod. We also print the corresponding column of 





the table of sorted powers (j has to be decreased by 1, because we started the numbering of j with 


0). 


j= 0; 
While[ 
MemberQ[sortedpowers, (Mod[30+49!, 97], _}] == False, 
j=j+1)2 ! 
3 | 
sortedpowers[[j-1]] 





a ——= as 


4 


We conclude that j = 4 and that 30.49) mod 97 occurs in table as 14, which is 29° mod 97 (hence 
i = 5). Indeed 


Mod [30«49*, 97] == Mod[29°, 97] 
True 


It follows that m= 10] +i = 10.4 +5 =45. Indeed, 29 = 30 mod 97, as can be easily checked 
with: 


PowerMod[29, 45, 97] 


The above method will now be stated in full generality. 
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Theorem §.1 Baby-Step Giant-Step Method 

Let a be a primitive element of GF(q). Let p be a divisor of g — 1 (not necessarily prime) 
and define w = @!?-'/?_ So, wis a primitive p-th root of unity, 

Let c be any p-th root of unity. Then, for every (trade-off value) r, O<r <= 1, ‘one can 
find the exponent m, 0 < m= p— 1, satisfying 


‘= & 
with an algonthm that wes 
p'(1 + log, p’) operations, 
plows ¢ bits of memory space, 


and an initial calculation involving 
p’ (1 + log, p" operations. 


Proof: Let u =[p']. We make a table of the successive powers w', 0 <i <u-—1. This requires 
u = p’ multiplications. 


Next, we sort this table in p' log, p' operations, see [Knut73], pp.184. Together this explains the 
number of operations in the precalculation. 


Each of the u ~ p’ field elements in the table needs log, qg bits of memory space. This explains the 
memory requirement above. 
Define i and j by 
ma fut, O<si<us p’. 
Observe that 


’ ny} P 
0 = i — , a i P 


|—t 


Of course solving c = w” 1s equivalent to finding 1 and j, 0 <i <u, satisfying 
wach, 


To solve this equation, we simply compute c.w™'", for 1} =0,1,... and check if the outcome 
appears in the table. This will happen when / = j,so before | =[p!~']. 


For each value of / we have to perform | multiplication and a table look-up, which costs another 
log, p’ operations. 


0 


For t= 1/2 this algorithm reduces to the Vq (both for memory and time complexity) algorithm 
that was mentioned at the end of Subsection 8.1.1. 


The two extreme cases of the algorithm are: 
t=0: no table at all; all powers 1, B, B’, ... need to be tried. 


t=1; complete table of 1, B, 6’, ..., B7-'is present; only a single table look-up is needed. 


Note that the product of computing time and bits of memory space in the above algorithm is more 
or less constant. 
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8.3.3 The Pollard-o Method 


The time complexity of the Pollard-p Method [Poll78] is the same as that of the Baby-Step Giant- 
Step method explained in the previous section. The advantage lies in the minimal memory 
requirements. 


We shall explain the Pollard-p Method for the special case of a multiplicative subgroup G of 
GF(q) of prime order. So, we want to solve m, 0<m< p, from the equation c =a (see (8.1)), 
where @ € GF(qg) has order p, p prime, and where c € GF(g)is some given p-th root of unity. Note 
that p divides g — 1 by Theorem B.5.. 


Example 8.9 (Part 1) 


To avoid calculations in a finite field, we take for q the prime number 4679. Note that q —/ = 2X 2339. 
Further we observe that 11 is a primitive element of GF(4679) and thus that @ = 1 1'4~D/2339 = ] J? = 121 
is the generator of a multiplicative subgroup of order 2339. All these calculations can be easily checked 
with the Mathematica functions PrimeQ, Factor Integer, PowerMod and _ the function 
MultiplicativeOrder 
MultiplicativeOrder[a_, n_] := If[(GCD[a, un] == 1, 
Divisors[ EulerPhi[n] } //. 
{x_, ¥___} -> If[PowerMod[a, x, n) == 1, x, {y}] ]3 





that was introduced in Subsection B.4.1 


q = 46795; 

Primed ([q] 
FactorInteger[q- 1] 
MultiplicativeOrder[iil, q] 
PowerMod[il, 2, q] 
MultiplicativeOrder[121, q] 


True 


a6/8 
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£339 


Further on, we shall continue with this example, when we want to solve the equation 
121” = 3435 (mod 4679). 


Note that this equation must have a solution, since 3435 is indeed a 2339-th root of unity in 
GF(4679). Indeed, all 2339-th roots of unity are a zero of x*?3? —1 and by Theorem B.15 there are 


no other zeros of this polynomial. 


PowerMod (3435, 2339, 4679] 





In order to solve c = a", we partition the multiplicative subgroup G of GF(q) of order p, in three 
subsets G;, i = 0, 1, 2, as follows: 


x € G; —> x = i (mod 3). 


We define a sequence {x;};»9 in GF(q) recursively by xo = land 


(x? mod q), if x; € Go, 
Xie1 = f(x;) = ¢ (c.x; mod q), if x, € Gj, (8.4) 
(a~.x; mod q), if x; € Go 


With the sequence {x;};29 we associate two other sequences {a;};>9 and {b;}j29 1n such a way that for 
all i >= 0 


x; = a4 cP, 


To this end, take ag = bp = O and use the recursions 


(2 a, mod p), if x; € Go, 

Gi+1 = a,, if x; E G), 
(a, + 1 mod p, if x; € G2. 

(2 b; mod p), if x; € Go, 

biz, = § (bj) + 1 mod p), if x; E G), 
b,, if x; € Gp. 


Note that by induction 
Xie) = 22 = (0% cht? = @2% c2h = gtir! chit, if x; © Go, 
Xie) = ¢.X, = c.0% ch = Ait! ch = Qs choi, if x; © Gy, 
Xe) = @.X; = a. CPt = a chit! = Qt) Chi41, if x; E Gy. 
As soon as we have two distinct indices 1 and j with x; = x;we are done, because this would imply 


that a@ c?' = a7) c*) and thus that a@~%) = c?s~”, Provided that b; # b;, we have found the solution 
m = (a; — aj) /(b; — bj) (mod p). 
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If b; = b;, which happens with negligible probability, we put c'=c.@ and solve c'= a”, where 
m=m+l. 


To find indices i and j with x; =x,, we follow Floyd's cycle-finding algorithm: find an index i 
such that x; = x2; (so, take 7 = 2 1). 


To this end, we start with the pair (x, x2), calculate (x2, x4), then (x3, x6),and so on, each time 
calculating (%i41, %2i+2) from the previously calculated (x;, x2;)by the defining rules x;,; = f(x;) 
and x2 ;42 = f7(x2;) In this way, huge storage requirements can be avoided. 


Example 8.9 (Part 2) 


We continue with Example 8.9. Hence, we have q = 4679, @ = 121,an element of (prime) order 
p =2339, andc = 3435. I.e. we have the equation: 


121” = 3435 (mod 4679). 


The recurrence relation for the {x;};29 sequence can be evaluated by means ofthe Which and Mod 
functions. 


RecxX([x_, alp_, ¢_, @_] := Which[ Mod[x, 3] == 0, Mod [x*, ql. 
Mod[x, 3] ==1, Mod[c«zx, q], Mod[x, 3] == 2, Mod[alp«x, q] ] 





The smallest index i, i = 1, satisfying x; = x2; can quite easily be found with the help of the While 
function. 


alp = 121; c = 3435; q = 4679; 

x1 =Recx[{1, alp, c, q]; 

“2 = Reck([x1, alp, c, q]; i=1; 

| While[xl |= x2, xl = RecxX[x1, alp, c, qj]; 

| «2 = Reck[{Reck[x2, alp, c, q], alp, c, aq]; i=i+1)]; 
i 


| oe 
t 
} 
I 
| 
} 


| 


76 


SO, X76 =X152 andm = (aj52 —a76)/(b76 —b152) (mod 2339). However, above we did not update 
the values of the sequences a; and b;. We will do that now. 


RecurrDef[{x_, a_, b_}] t= Which[ 
Mod[x, 3] == 0, 
{Mod[x*, q], Mod[2a, p], Mod[2b, p]}, 
Mod[x, 3] ==1, {Mod[c«#x, gq], a, Mod[b+1, pj}, . | 
| Mod[x, 3] == 2, {Mod[alp«x, q], Mod[a+1, p], b)}] 
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1=76 
Mj=492, a, =84, by, 22191 
m2. 45492, @2. 42286, Be. 4=915 


Indeed, the relation a c* gives the same value for i= 76 andi =2 x76: 





492 


The solution m_ of 121" =3435(mod 4679) can now be determined from 
m = (286 — 84) /(2191 — 915) (mod 2339). 





1111 


That m = 1111 is indeed the solution can be checked with 


| | & F- - 
ott Lalp. - 


town 


Pe -_ 
. PP 
= ty 5 nie. 
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True 


The p in the name of this algorithm reflects the shape of the {x;};»gsequence: after a while it starts 
cycling around. The memory requirements of Floyd's cycle finding algorithm are indeed minimal. 
The expected running time is ¥V p.For further details, the reader is referred to [Poll78]. 


8.3.4 The Index-Calculus Method 


oOo General Discussion 


To describe the index-calculus method in general we consider a cyclic group G of order N 
generated by an element g. So, G = {e, g, 27, .... @Y '} and g% =e. 


In this setting we want to solve m from g” = h (see (8.1)) fora given he G. 
The basic idea of the index-calculus method consists of the following steps: 


1) Select an appropriate subset S of G with the property that a large proportion of the elements 
of G can be expressed as a product of elements of 5 in an efficient way. This set S is called the 
factor base. An element g € Gthat can be expressed as a product of elements of S$ is called smooth 
with respect to S. Let k be the size of S. In the next two steps each element in S will be written as a 


power of g. 


2) Find a sufficiently large collection J of exponents i with the property that each g', ie J, can be 
expressed efficiently as a product of elements of S, say g/ = s;"' s9'* ... s;'*. Taking the log, of 


both hands, we get a set of linear congruence relations 
f=) log, S| + 42 log, 52 +... + tg log, s, (mod N), ref. 


3) Treating the numbers log, s;, 1s j<k, as unknowns, solve the above system of linear 
congruence relations (for this, the system of linear congruence relations has to have rank k and the 
set J will have to be sufficiently large). 


4) Pick a random exponent r and try to express g’ has a product of elements of S. As soon as this 
VI g¥2 


has happened, say g”.h = s}' 5} ...s;*, we again take the log, of both hands and get 
r+m=y log, S,) +V2 log, Spt. TV log, Sz (mod NV). 


Since the values of each log, s; has already been determined in Step 3 and r was chosen, m can be 
determined from this congruence relation. 


Note that Steps 2 and 3 aim to solve the logarithm problem for all the elements in the factor base. 
Step 4 tries to reduce the current logarithm problem to the factor base elements. 
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It may be clear that the optimal size of the factor base S is a compromise between manageable 
storage requirements and the probability that a random element in G (namely g’h) can be 
expressed as a product of elements of S. 


In general, there are two (related) unresolved problems in the above approach. 
¢ How can one determine a good factor base? 
¢ How does one express an element in G as product of elements of S? 


In the next subsubsections we demonstrate the above method for two special cases where more can 
be said about the above two questions. 


Complexity 


There are many variations of the index-calculus method. Typically, their complexity grows 
subexponentialin log, N, while the methods described in Subsections 8.3.1, 8.3.2, and 8.3.3 are all 
exponential in log, N. 


Oo £),1.e. the Multiplicative Group of GF(p) 
In this case, G = {1, 2, ..., p— 1). Let g be a generator of this group. 


Choice of the factor base S: the first k prime numbers, pj, P2, ---, Px. 


If k is sufficiently big, a large proportion of the elements in G can be expressed as product of 
powers of these k primes, i.e. they will be smooth with respect to S. 


Technique to express an element in G as product of elements of S: divide the element by the p;’s. 


Complexity 
Adleman in [Adle79] analyzes this technique in detail and arrives at a complexity of 


exp Vin pinin p 


for some constant C. 


Example 8.10 


Consider &5§4; with primitive element g = 2. That 541 is prime and that 2 is a primitive element can be 

checked with the Mathematica functions PrimeQ, FactorInteger, and PowerMod. Indeed, the order 
of 2 divides | £34; | = 540 by Theorem B.5, therefore, we only have to check that 2P-)¥* 2 1 (mod 541) for 
the divisors of p = 541. 


p= 541; 
PrimeQ|[p] 
FactoriInteger (|p - 1] “ 
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True 





PowerMod[2, (541-1) /2, Pp] 


PowerMod[2, (541-1) /3, Pp] 
| PowerMod[2, (541-1)/5, p] 


46 


As factor base S we take the set of the first five prime numbers, which can be generated with the 
Mathematica functions Prime and Table. 


" Table[Prime( 4], fi, 1, 5}] 


Fe pee ee ee ee 


We want to write each of the elements in thisfactor base as a power of g = 2, i.e. we want to solve 
the logarithm problem for the elements in the factor base. To this end, we try to find powers of 
g =2in 454;" that can be expressed as product ofelements in {2, 3, 5, 7, 11}. For this, we can use 
the Mathematica function FactorInteger and PowerMod. When trying 


p= 541; 
try = PowerMod[2, 102, p] 
| FactorInteger [try] 





ery 


13 


we see that we have no complete factorization in {2, 3, 5, 7, Il}. 


214, 98) 2207 2214 23 achieving our goal. 


After some trial and error we didfind the elements , and 
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{{2, 1}, (7, 1}, {11, 1})} 


{{2, 1}, {3, 1}, {7, 2}} 


({5, 2)¢11,-1}} 
{{5, 1}, 17, 1}) 


{{2, 5}, {12, 1}} 


Writing m; = log, 2, mz = log, 3, m3 = log, 5, mg =log, 7, ms = log, 11 and taking the logarithms 
on both sides givesfive linear congruence relations in mj), m2, ..., Ms. 


For example, 2207 = 52 11! mod 541 can be rewritten as 
2207 = 22.l0g25 pI.loga 1 = 22m; 9m5 od 54]. 

Taking log, on both sides gives the congruence relation 
207 = 2m3 +ms5 mod 540. 

So, we have: 


14 =m, +mz+ms5 (mod 540), 
8] =m; +m2 +2m, (mod 540), 
207 = 2m; +ms (mod 540), 
214 =m; +mq (mod 540), 

300 = Sm; +ms (mod 540), 


The above system oflinear congruence relations can be solved with the Solve function: 
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{ {Modulus + 540, m2 +104, 


So, we know that 


m, =log,2=1, 
ms = log, 11 =295 


mz = log, 3 = 104, m3 = log, 5 = 496, mg = log, 7 = 258, 


or, equivalently 


2! =2 mod 541, 
22%) = I] mod 541. 


2! =3mod 541, 24° = 5 mod 541, 2°* = 7 mod 541, 


If the above linear congruence relations are not linearly independent one has to 
equations by others until they are linearly independent. 


Let us now find a solution of 2" = 345 (mod 541). 


From 


Factorinteger [345] 
FactorInteger[Mod[2* 345, 541] ] 
FactorInteger[Mod[27"° 345, 541] ] 
FactorInteger[Mod[27* 345, 541) ] 


113, Ll}, 43, Ll}, {23, 1} } 
f{2, 1}, (149, 1}} 

({3, 2}, (41, 1}} 

Life 3}, (fe 1 


m3 +496, ml +1, md + 258, m5  295}} 


replace some 


we see that 345 can not be expressed as product of elements of S, nor can 2? x 345 and 2!” x 345, 


but 2!3 x 345 =2° 7! in GF(541). 
We conclude that 

134+m=23.m, +1.mg=3x 14258 = 261 (mod 540), 
therefore, the solution of 2™ = 345 (mod 541) is given by 

m = 248 (mod 540). 


This can easily be checked with 





| PowerMod[2, 248, 541] 


Se SRST star 
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345 


Because of the small parameters, we can find out explicitly how many elements in {1, 2, .... 540} 
can be expressed as product of elements of S. We use the Mathematica functions Select. 
Flatten, Table, Sort,and Length and make use of thefact that the exponent of 2 is at most 
Llog, 541] = 9, the exponent of 3 is at most |log; 541) =5,etc., in any number less than 541. 








-BaseProd = Select [ : 
Flatten| Table|[ 2°! 3°? 543 744 1135, 

{il, 0, Log[2, 541)), 

{iz, 0, Log[3, 541)]}, 
| {i3, 0, Log[5, 541]}, 

{id, 0, Log[7, 541]}, 

{i5, 0, Log[11, 541)}]], 

#< 5414] // Sort 

Length [BaseProd] 





(1,2, 3,4,5, 4, 7, 8, 9; 10, 11, 12,;°14, 15; 16; 18, 20, 21,22, 
24, 25, 27, 28, 30, 32, 33, 35, 36, 40, 42, 44, 45, 48, 49, SO, 

54, 55, 56, 60, 63, 64, 66, 70, 72, 75, 77, 80, 81, B4, 88, 90, 

96, 98, 99, 100, 105, 108, 110, 112, 120, 121, 125, 126, 126, 

132, 135, 140, 144, 147, 150, 154, 160, 162, 165, 168, 175, 176, 
180, 189, 192, 196, 198, 200, 210, 216, 220, 224, 225, 231, 240. 
242, 243, 245, 250, 252, 256, 264, 270, 275, 280, 288, 294, 297, 
300, 308, 315, 320, 324, 330, 336, 343, 350, 352, 360, 363, 375, 
378, 384, 385, 392, 396, 400, 405, 420, 432, 440, 441, 448, 450, 
462, 480, 484, 486, 490, 495, 500, 504, 512, 525, 528, 539, 540} 


ld2 


Therefore, about a quarter ofall elements in G can be expressed as product of elements of S.. That 
means that on the average it takes four trials (choices of r) before g” hcan expressed as a product 
of elements of {2, 3, 5, 7, 11}. 
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Oo GF(2”) 


All elements in GF(2”) can be represented by means of binary polynomials of degree < nin x 
modulo an irreducible polynomial f(x) (see Theorem B.16). One writes GF(2”) = GF(2)[x] / (f(x). 
Let the polynomial @ = a(x) denote a primitive element of GF(2”). Then GF(2") can also be 
represented by binary polynomials of degree <n modulo the minimal polynomial p(x) of alt 
follows that @ is a primitive element in GF(2)[@]/(p(q@)), Le. x is a primitive element in 
GF(2)[x] /(p()). 

See Example B.6, where f(x) = x4 +27 +27 +2x+1 defines GF(2*) and where a(x) =1+xis a 
primitive element of GF(2*) = GF(2)[x]/(x* + x° +.2° +x+1). This element ais a zero of the 
primitive polynomial p(x) = x4 +.2x°4+ 1. In GF(2)[x]/(x4 +2 + 1) the element x is a primitive 
element 


Equation (8.1), that we want so solve, can be reformulated as: 


for every polynomial c(x) of degree <n,find the exponent m, 0 < m < 2” — 2,such that 
x” = c(x) (mod p(x)). 


As choice of the factor base 5 we take all binary, irreducible polynomials of degree <a, say 
Pi(x), p(x), .... px(x). (The number of such polynomials is given by Theorem B. 17). 


As a technique to express an element in GF(2”) as a product of elements of 5, we simply divide the 
element by the polynomials p;(x). 


A polynomial u(x) that can be expressed as a product of elements of S is called smooth with 
respect to S. 
Complexity 


Coppersmith [Copp84] analyzes this algorithm and finds as asymptotic running time 
exp y (Ina) (in Inn)? 


Later, further improvements have been found with names like number field sieve and function field 
sieve (see [AdDM93], [Adle94], and [HelR83]). 


For an excellent survey on the discrete logarithm problem we refer the reader to [Odly85]. 


Example 8.11 


We want to take a logarithm in GF(2!°). To represent GF(2!°)properly and to find a primitive element in 
it, we look for a primitive polynomial of degree 10. We do this with the Mathematica function 
FieldIrreducible for which the package Algebra 'FiniteFields' has to be readfirst. 


E ) 
| <¢ Algebra’ FiniteFields i 
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| £1d = GF[2, 10); 


| FieldIrreducible([fld, x] 


fe eg io ary Ca i 


14x) +x!" 


So, we take GF(2!'°) = GF(2)[x) /(x!© +x’ +1) which has x as primitive element. Equation (8.1) 


now reads like: 
find m such that x” = c(x) (mod x!9 +x’ +1), 


As factor base S we shall take the set ofall irreducible polynomials of degree #. 


The reader may remember that all binary, irreducible polynomials of degree d appear in the 


factorization of x2" ~—x(see Theorem B.35). 


Clear [x] } 
Factor [x -x, Modulus -> 2] 


| Factor [= - x, Modulus -> 2] 


x(l+x) (L+x+x°) (1+x* +x") 


al ro c | a i 7 z 


x (L+u) (14x47) (Lexa x*) (1 4 x? oe") (144+ x? +3 + x* 


Hence, as factor base S we have: 





p(x) =4, p(x) = 1 +x, 

p(x) = 1 tx 42°, p4(x) = 14x42, 
ps(x) = 1 #7 +2, plx)=l+extx tx) 4x4, 
pax) =lex tx, pix) = 14x? +27, 


We want to write each of the elements in this factor base as a power of x, i.e. we want to solve the 


logarithm problem for the elements in the factor base. To this end, we try to find powers of x in 
GF(2)[x] /(x!° +x? +1) that can be expressed as a product of the polynomials p;(x), 1 s j s 8. 


We use the Mathematica function Factor and PolynomialMod. 








attempt = PolynomialMod[x"*, {x’°+x’+1, 2}] 
Factor[attempt, Modulus -> 2] 


(1+x)* (le#x+ “° ) (lex ax +x! 4x") 
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We conclude that x*° is not smooth with respect to ourfactor base S. After some trial and error we 


find the following list of smooth powers of x: 


Factor [PolynomialMod[x, {x’" +x’+1, 2}], Modulus -> a] 
Factor [PolynomialMod[x™, {x79 +x’+1, 2}], Modulus -> 2] 
Factor [PolynomialMod[x**", {=*°+x’+1, 2}], Modulus -> 2] 
Pactor[PolynomialMod[x*", {x'°+x’+1, 2}], Modulus -> 2] 
Factor [PolynomialMod[x**, (x’° +x’ +1, 2}], Modulus -> 2] 
Factor [PolynomialMod[x**’, {x’° +x’ +1, 2}], Modulus -> 2] 
Factor [PolynomialMod[x**, {*°+2’+1, 2})], Modulus -> 2] 
Pactor[PolynomialMod[x""’, {x’°+x’+1, 2}], Modulus -> 2] 





z a 


(l+#x+x°) (l+x° +x°) 

x" (l+x4+x7)° 

(Lex)? (L+xm¢3x¢ +3007 +x") 

(Lex) (L4x° +x°) (l+x4+x° 4x0 +x") 
(l+x+x*) (L+x4¢2°) (1 +x+x") 
(lex) (l+x743¢) (l+#x+x4) 


= 


i iL iy - 1, 
(l+x+x=°) (L1+x°+x°) 


Writing p(x) =x" (mod x!° +x’ +1), these relations give rise to eight linear congruence 


relations. For instance, the last equation gives 


787 =(L4¢ x4) (14x22 +289 & (x) (5)? = 34725 (od x!9 4x7 +1), 


Taking the logarithm on both sides gives the linear congruence relations 


787 = mg +2 ms (mod 1023), 


since 1023 is the multiplicative order of the primitive element x. In this way, the eight relations 


above can be rewritten as 


1 =m, (mod 1023), 
86 =mq+ms (mod 1023), 
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140 =2m;+2m, (mod 1023), 
211 =5m>+mg¢6 (mod 1023), 
319 =m2 +mg +msg (mod 1023), 
457 =m;+mz+m7 (mod 1023), 
605 =m2+ms5 +m7 (mod 1023), 
787 =mg+2ms (mod 1023). 


This forms a system of congruence relations that can be solved with the Mathematica function 


Solve. 


Clear(m1, m2, m3, m4, m5, m6, m7, m8]; 

Solve[{ml == 1, m4+m5 == 686, 2mil+2m3 == 140, 
Sm2+m6 == 211, m2 +m6+m8 <= 319, m3 + md + m7 == 457, 
m2+m5+m7 == 605, m4d+2m5 <= 787, Modulus == 1023}, 

| {ml, m2, m3, mi, m5, m6, m7, m8} ] 






{ {Modulus +1023, mB +827, mli+i1, m34 69, 
mo~591, m? +1003, m2 3947, m+ 408, m5 + 701}} 


So, we know that m; =1, m2 = 947, m3 =69, mg = 408, ms = 701, me = 591, mz = 1003, and 
Mg = 827. 


If the linear congruence relations are not linearly independent one has to replace some equations 


by others until they are linearly independent. 
Let us nowfind a solution of x" = 1 +x +3x° +x? (mod x'? +x’ +1). 


From 


| Factor| | 
PolynomialMod(1+x+x*+x", {x'°+x"’+1, 2}], Modulus -> 2] 
Factor [PolynomialMod[x*" (1+2%+x°+x"), {x’°+x"+1, 2}], 
Modulus -> 2] 





a a 


4 4 


z iE 
+x" +x" } 


(L+x)* (lex4+x°+x° +x 


(L+x+x7)" (L+x+x") 
we see that 1l+x+x°+x%can not be written as product of polynomials in S, but 
2° tx +9° +x?) can. 

We conclude that 50+#m2=2m3+mz7 =2 X69 + 1003 = 118(mod 1023), so the solution of 
x" = 14x42 +x (mod x!? +x’ +1) is given by 


m = 68(mod 1023). 
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This can be checked by 


PolynomialMod[x*", {x°9 +2’ +1, 2}] 


8.4 Problems 


Problem 8.1” 

Users A and B want to use the Diffie-Hellman system to fix a common key over a public channel. They use 
GF(p), with p = 541 and primitive element a=2. 

User B makes cg = 123 public. If m4 = 432, what will be the common key ka that A and B use for their 
communication? 


Problem 8.2 

Users A and B want to use the Diffie-Hellman system to fix a common key over a public channel. They use 
F2[x] /(c!9 + x? + 1) as representation of GF(2!'°). User B makes cg =0100010100 public, which stands for 
the field element x+° +x’. If mg =2, what will be the common key that A and B use for their 
communication? 


Problem 8.3 
Demonstrate the Special Case version of the Pohlig-Helmann algorithm, that computes logarithms in finite 


fields of size g = 2” + }, byevaluating ]og,(142)in GF(257). 


Problem 8.4” 

Check that 953 is a prime number and that 3 is a generator of 2353. Find the three least significant bits of 
the solution m of the congruence relation 3” = 726 mod 953. 

(See the remark in the discussion of the special case g — 1 = 2”in Subsection 8.3.1.) 


Problem 8.5 
Compute log,(135) in GF(353) with the Pohlig-Hellman algorithm. 


Problem 8.6” 
Find a solution of logy, 55 in GF(197) by means of the Baby-Step Giant-Step method, when only 15 field 
elements can be stored. 


Problem 8.7” 

Check that @ = 662 is a primitive 2003-th root of unity in GF(4007) (note that 4007 is a prime number). 
Let G be the multiplicative subgroup G of order 2003 in GF(4007) generated by a@.Check that 2124 is an 
element of G. 

Determine logy. 2124 by the Pollard -p method. 


Problem 8.8” 
Check that g = 996 is a generator of the multiplicative group Z4q7. Set up the index-calculus method with 
a factor base of size 6 and determine logyg, 1111. 
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Problem 8.9” 
Solve the equation x” = 1 + x* + x? (mod x!9 + x3 + 1)in the setting of Example 8.11. 


Problem 8.10” 
What is the probability that a random element x” (mod x!° + x3 + 1) is smooth with respect to the set of 
irreducible, binary polynomials of degree < 10 (see Example 8.11). 


9 RSA Based Systems 


9.1 The RSA System 


In 1978 R.L. Rivest, A. Shamir and L. Adleman [RivSA78] proposed a public key cryptosystem 
that has become known as the RSA system. It makes use of the following three facts: 


1) Exponentiation modulo a composite number n, 1.e. computing c from c = m*® (mod n) for given 
m and e, is a relatively simple operation (see Subsection 8.1.1). 


2) The opposite problem of taking roots modulo a large, composite number 7, 1.e. computing m 
from c = m° (modn) (which can be written as m= Ve (modv)) for given c and e, is, in general, 
believed to be intractable. 


3) If the prime factorization of n is known, the problem of taking roots modulo n is feasible. 


9.1.1 Some Mathematics 
From Appendix A we quote Theorem A. 14 and the definition of Euler's Totient function (Def. 
A.6): 


Theorem 9,1 Euler 
Let a and » be integers. Then 


ecd(a,n)= 1] = a" = | (nodal), (9.1) 


where Euler's Totent Function ym) counts the number of integers in between 1 and m 
that are coprime with a, The function y(n) can be computed from the relation: 


aaa fe 14 — 
lr) = [| in, pprime |! : } (9 7) 


The reader can check the above in any example with the Mathematica functions GCD_ and 
BulerPhi. 
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me 1395; a= 1234; 
GcD[ia, n] 

ph = EulerPhi [n) 
PowerMod/a, ph, n] 


L336 


9.1.2 Setting Up the System 


Oo Step 1 Computing the Modulus ny 

Each user U of the system chooses two different large prime numbers, say py and gy. In the 
original proposal the suggested length was about 100 digits. 

Letny = py qu. It follows from (9.2) that 


vay) = nu(1- 5—)(1- 2-) = (pu - I qu - 0). (9.3) 


This can also be seen directly. The n integers in between | and ny = py qyare all coprime with 
ny except for the gy multiples of py (namely py, 2. py, 3. py, ....qy.py) and the py multiples 


of gy (namely qu, 2.qu,3qu, .-., Pu-qu) In this counting, one should realize that the number 
Pu qu has been subtracted once too often. 


Example 9.1 (Part 1) 


To keep this example manageable participant Bob will keep his primes reasonably small. He makes use of 
the Mathematica functions Prime and EulerPhi. 





pB = Prime[1200] 

qB = Prime[1250] 

nB = pB+« qB 

phiB = EulerPhi[nB] 


wi 
J 
Lal 
Lal 
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LO1T? 
S$052741 


99032832 


oO Step 2 Computing the Exponents ey and dy 


User U chooses an integer ey, 1 <ey <y(my), with gced(ey, y(ny)) = 1. User U computes the 
unique integer dy, satisfying 


ey dy = | (mod g(ny)), 1<dy < y(ny). (9.4) 
For instance, U can use Euclid's Algorithm (see Section A.2) to find dy in less than log, p(nu) 
operations (Theorem A.9) with f = (1 +V¥5 ) / Z. 
Example 9.1 (Part 2) 


The random choice ofég and the computation of dg can be made with the Mathematica functions 
Random, While, and ExtendedGCD. 





‘im oo 


Pho. 


4 ae i oa m | : ot ok 3 
'o yale — eh pes iy eee = ee Pa See el 
BA = ah and . ti 'T “ a i Tal 7 rs eg ne Eh | ‘ ‘, 


-_ . i b 
2 a bi Sas Rice I ie ie as —— —e 
ees = arb SOE CS = 





#1119923 
{1, (17089915, -13998717}} 


So, Bob has eg = 81119923 and dg = 17089915. This can be checked by the Mod calculation: 
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O Step 3 Making Public: ey and 2y 


Each user U makes ey and ny public, but keeps dy secret. The primes numbers py and gy no 
longer play a role. User U may use them to reduce the complexity of his calculations as we shall 
see later on. They may not be made public by U. 


9.1.3 RSA for Privacy 


If user A, say Alice, wants to send a secret message to Bob (user B) she represents her message in 
any standardized way by a number m, 0 < m < ng. Next, Alice looks up the public exponent egof 
Bob. She will send the ciphertext c computed from 


c = m8 (modnp). 


Bob can recover m from c by raising it to the power dg which he only knows. Indeed, for some 
integer / one has 


(9.4) 


(9.1) 
cB = (mes)tB = _,"B 4B m|tolng) = m.(merBy! = m(modng). (9.5) 


when gcd(m, ng) = 1. In Problem 9.2 the reader is invited to verify that the system also works 
when gced(m, ng) # 1. 


We summarize the RSA secrecy system in the next table. 


public ey and ny of all users U 
secret dy of user U 
property €y dy = 1 (mod ®” (np) ) 
message to Bob O<m< ng 
encryption byA c =m*8 (mod ng) 
decryption by B c48 =m (mod nz) 


The RSA System for Privacy 
Table 9.1 


The public and secret exponents in the RSA system are traditionally called eyand dyto denote 
the encryption resp. decryption functions that they have in this subsection. 


Example 9.1 (Part 3) 


We continue with the parameters of Example 9.1, so ng=99052741, eg =81119923, and 
dg = 17089915. The encryption c =m*® (mod ng) of message m = 12345678 leads with the 
Mathematica function PowerMod to 
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SS Se 


NB = 99052741; eB = 81119923; dB = 17089515; 
m= 123456786; 
¢ = PowerMod([m, eB, nB]) 


= = ———— ee 


Bob decrypts this by computing c48 (mod ng), which gives m. 


| PowerMod[c, dB, nB] 





12345678 


It is possible to reduce the work factor of the decryption process by means of the Chinese 
Remainder Theorem (Thm. A. 19). Indeed, since Bob knows the factorization of n into pxXq,he 
can do the following. 


Bob precomputes integers a and b mod n, satisfying 

6a@e 1 (mod p} 

.a=0  imod q} 

; b=0 (mod p) 

.b=1 imod q 
Next, Bob computes m,= ra | (mod p) and m= "a (modg), where c; =(cmod p) and 
c2 = (ec mod q). Note that all these calculations take place modulo the integers p and g that are 
typically half the length of n. By the Chinese Remainder Theorem, m = (c4 modn)is now given by 
m,.a+m.b(modn). 


There is even an extra bonus in this approach. The exponent d in the calculations of m, and mp, can 
be reduced modulo p-1, resp. g-1, by Fermat's Theorem (Thm. A.15). Indeed, 
m, =C@ =c4\modp, with d; =(dmod p) and a similar statement is true for the mod g 
calculations. 


Altogether, this way ofcomputing c4 mod nreduces the workload by a factor of about 4. 


Example 9.1 (Part 4) 


We continue with the parameters of Example 9.1, so pg = 9733, Gg =10177, ng=99052741, 
ep = 81119923, and dg = 17089915. To compute the solutions to 


fa=i (mod. 9733) 
laz=0O (mod 10177) 
jbe= 0 {mod 9733) 
lb=i1 (mod 10177) 
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we load the Mathematica package NumberTheory’ NumberTheoryFunctions 





45287650 
53765092 


Next, we calculate m; = c4' (mod Pp) and m2 = ct =c*2 (mod q). We get 





977 | : 


The result of the decryption process is now given by m;.a +m2.bmodn and coincides with our 
earlier decryption process. 
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m= 59052741; 
Mod[ml«ea+miseb, n] 


9.1.4 RSA for Signatures 


The RSA system can equally be used to sign messages. To sign a messagem, 0 < m < ng, Bob will 
compute c = (m48 mod ng). 

The receiver of c, say Alice, can easily retrieve the original message from c*? (mod ng), because 
Bob's parameters eg and ng are public. To check this we repeat (9.5) (with a minor variation): 


(9.4) (9.1) 
£8 = (mB) 8 = meadB =" m't!elra) = mma)! = m(mod ng). (9.6) 


for all m with gcd(m, ng) = 1. The relation c®? = m(modng) also holds when gced(m, ng) # 1.In 
Problem 9.2 the reader is asked to prove this. 


Alice should keep c as Bob's signature on m. Only Bob can have made c out of m, because he is the 
only one knowing dg. The reader is advised to reread the discussion above Table 7.2. 


public €y and ny of all users U 
secret dy of user U 
property ey Gy = 1 (mod yg (ny}) 
message of Bob O<m<ng 
signing by B c =m?2 (mod ng) 
verificationbyA cB =m (modnsgz) 
signature the pair (m, c) 


The RSA System for Signing 
Table 9.2 


Example 9.1 (Part 5) 


Bob signs message m = 11111111 by computing c = m?8 (mod ng). 


| m = 11111111; 
| ¢ = PowerMod(m, dB, nB] 


ValLaeass 
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Alice verifies this by computing c®® (mod ng), which gives m. 


9.1.5 RSA for Privacy and Signing 


Suppose that Alice wants to sign a confidential message m to Bob. The solution described in 
Subsection 7.1.4 , namely Alice first signs m with her secret key and then encrypts the result with 
Bob's public key, can not always be applied directly in the RSA-case. 


To see this, we observe that Alice would like to send 
c = (m7A (mod n,))8 (mod ng). (9.7) 


However, this mapping is not one-to-one if n4 >”g. For instance, the messages m= 1 and 
m = (1 +ng)*4 will both be mapped toc = 1. 


Since Alice and Bob do not want to share their prime numbers, we must have ng < ng. In this case, 
Bob can recover m as follows: 


(c48 (mod ng))*4 (mod na) = m. 
To verify this, combine (9.5) with (9.6). 


Of course, there now is the problem of what to do when Bob wants to sign a confidential message 
to Alice. A simple solution is to have every user U make two sets of parameters, one with its 

modulus smaller than some threshold 7 and the other with its modulus larger than 7. In this 

setting, the sender uses his own smaller modulus for the signature and the receivers larger modulus 
for the encryption. 
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public Gy; andny; of allusersU, i=1, 2 
secret Qy; of user U, i=1, 2 
properties @yi Ay; = 1 (mody (ny:)) 


Ny, < T < nyo 


message from O<m< ny 
Alice to Bob 


Alice sends c= ((m91 mod na;) °8? mod ng2) 
Bob computes ((c%82 mod ngz) “4! modna1) = m 
Bob keeps as mand (c®32 mod ng?) 
signature whichis equal to 


(mat mod naz) 


RSA for privacy and signing 
Table 9.3 


If there is an argument between Alice and Bob, they will go to an arbitrator. This arbitrator is 
given the pair m and u = (c482 mod ng?) by Bob. As an integer, the latter is equal to (m4! mod n4;), 
since 


(9.7) (9.5) 
(c482 modng?) = (((m4a! mod n,;)°2? mod np)? mod ng2) =" (m4A! mod n4}). 


Just like in Subsection 9.1.4, the arbitrator now checks if u°4/ = m (mod ng;). 


If this is the case, the message m came indeed from Alice, if not, u will not be considered as 
Alice's signature on m. 


Note that the arbitrator does not need to know the secret exponents of Alice or Bob to make his 
decision. Therefore, Alice and Bob can continue to use their original set of parameters. 
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9.2 The Security of RSA: Some Factorization Algorithms 


9.2.1. What the Cryptanalist Can Do 


Suppose that an eavesdropper, say Eve, gets hold of a secret message c = m®? (mod ng) for Bob. 
Once Eve knows the secret exponent dg of Bob, she can compute m from the ciphertext c in 
exactly the same way as Bob can, namely by computing c“# (mod ng) (see (9.5)). 


To determine dg from the public exponent eg and the relation eg.dg = 1 (mod y(ng)) (see (9.4)) is 
easy for Eve as soon as she knows ¢(ng): just like Bob did when he set up the system, she will use 
Euclid's Algorithm. 


To find y(wg) = pp.gp (see (9.3)) from the publicly known modulus ng, Eve will have to find the 
factorization of np. 


At the time of the introduction of RSA, Schroeppel (not published) had a modification of a 
factorization algorithm by Morrison and Brillhart [MorB75]. It involved 


Vina lninn Operations 


€ 


In the next table we have made use of the Mathematica functions TableForm, Table, EXP, 
Sqrt, Log, and N to give an impression of the growth of the above expression. 


TableForm| Table[ 
{k, N[Exp[ Sqrt[Log[10*k]) Log[Log[10*k]]]], 3]}, 
{k, 25, 250, 25)], TableHeadings ->» 
{{}, {"length in digits", "complexity"}}, 
| TableAlignments -> {Center} ] 


length in digits complexity 
25 4.3105 
5.0 1.42=10"" 
75 &.99«10+- 
100 2.34=10'" 
125 3.4110" 
150 3.26=10"" 
175 7.25=10* 
200 l.Zx107 
225 5.17=x1i0" 


250 L.66™ 10°" 
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As one can see, if is about 200 digits long, the above cryptanalysis 1s clearly not tractable. On the 
other hand, much larger numbers have been factored than was thought to be possible at the time 
that the original RSA scheme was proposed (at the time of the printing the record stood at 512 bits 

numbers). For this reason, one now sees proposals for implementations of RSA with a much larger 

modulus. 


An example of a fast modern factorization algorithm can be found in [LensH86]. Other methods 
will be discussed in Section 9.2.3. There does exist special factorization algorithms that run faster 
ifn is of a special form. We shall discuss one of these methods in the next subsection. 


Up to now, there seems to be no way of breaking the RSA system other than by factoring the 
modulus n. There is no formal proof however that these two problems are equivalent. In Section 
9.5 we shall discuss a variant of the RSA system for which it can be shown that breaking it is 
equivalent to factoring its modulus. 


A drawback of having to choose large moduli is that the execution of a single exponentiation takes 
more time than one may like, especially when one wants to encrypt a long file. Quite often in such 
a situation one shall use a hybrid system: a symmetric system with secret key k is used for 
encryption of the data and the RSA scheme is used to send this key securely to the receiver (using 
the public parameters of the receiver). 


When generating p and gq it is a bad idea to first generate p and then try out p+2, p+4, ... for 
primality. One really wants p — gq to be large. Indeed, if a cryptanalist can guess p — q, for instance 
by checking all likely values, it follows from 


4n=4p.q=(p+q)-(p-qy’ 


that p +q also can be determined. From these two linear relations p and g can be found, which 
implies that the system has been broken. 


Example 9.2 
Let n = 5007958289. Guessing that q — p = 200, we get p +qfrom 


m= 5007958289; “J 4n+ 2007 


L41534 


From p +q =V4n +200 and q — p = 200, we get that q =(V4n + 200° +200) / 2. 
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q= a 4n+ 2007 +200] /2 


p=eq-200 


& Se 


Peqe==n 


True 


We conclude that | p -— g {has to be large. A way to do this is to take g more than p+ Vp 


In the literature one can also find a few attacks on the RSA system, that have a probability of 
success which is not significantly more than the probability that a randomly chosen integer a 
smaller than n has a non-trivial factor in common with n. This factor would then be p or g. The 
probability that the latter happens can be evaluated with the Euler Totient function g(n)and 1s 
given by 


bd 


n-g(n) (93) pg-(p-1)(g-!) _ ptq-l od 
n Pq Pq P 


assuming that p<q. That one should not take p too small will follow from the factorization 
algorithm that we shall discuss in the next subsection. 


Because the "attacks" mentioned above have such a small probability of success, we choose not to 
discuss them here. Some of the problems at the end of this chapter are based on them. 


9.2.2 A Factorization Algorithm for a Special Class of Integers 


We shall now briefly discuss a factorization algorithm that runs faster than the general 
factorization algorithms that we shall address later under the assumption that at least one of the 
prime factors of n, say p, has the property that p — lonly contains small prime factors. 


0 Pollard's p — 1 Method 


In [Poll75], Pollard describes a way to factor n in Vp steps, where p is the smallest prime divisor 
of n. This explains why we have to take p and q both large. 


The assumption in Pollard's p—1 method is that in the factorization of n at least one of the two 
factors, say p, has the property that p— 1 has only small prime factors. To be more precise, an 
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integer is said to be smooth (see also Subsection 8.3.4) with respect to S if all its prime factors are 
less than or equal to S. We shall assume that p — | is smooth with respect to some integer S. 


Example 9.3 


The prime number p = 70877 has the property that p—Jlis smooth with respect to S =50,as one can 
check with the Mathematica function FactorIntegerand Primed. 


p= 70877; PrimeQ[p] 
FactoriInteger([p-—- 1] 


True 


For each prime number 7, rs S, the largest power of r that is still less than or equal to n can be 
determined from 


r<n_, or, equivalently, i < log, n. 
Define R by 
R = J] pss, p prime peeen ii 


Example 9.4 (Part 1) 


Consider the number n = 6700892281 and assume that at least on of its factors, say p, is smooth with 
respect to § = 50. It follows from 


Prime [15] 
Prime [16] 


that there are 15 primes less than or equal to S = 50. So, R can be calculatedfrom (9.8) with the 
Mathematica functions Prime Log and Floor as follows 


| 45 

l we 6700892281; Rx | (Prime [i] y FAS Log [Frime[i}),n)] 
} 

| i=l 


| 
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S63893514d9024506072 70767 


49 15 
02214282424813734946501919403167962039754577870030089486336000000 
po000000 


Pa — -—_— 
FactoriInteger [RF] 
Errsices PP Fe FI 
({2, 32}, {3, 20}, (5, 14}, (7,11), {11, 9}, (13, 81. 1, (19, 7 
(23, 7}, (29, 6}, (31, 6}, (37, 6}, {41, 6}, (43, 6}, (47, 5}} 


If p— 1 is smooth with respect to S, each prime power r' that divides p — 1, will also be a factor of 
R, since 1 will be at most [log, nj. It follows that (p — 1) divides R. 


We know from Fermat's Theorem (Thm. A. 15) that any integer a, 1<a< _p, will satisfy 
a?-' = 1 (mod p). Since (p ~ 1)| R, also a® = 1 (mod p). 

Now take a random integer a, 2 s a <n, and check if gcd(a, n) = 1. If this gcd is not 1, we have 
found a factor of n and we are done. 


If ged(a, n) = 1 it follows from a® = 1 (mod p) that p|(a® — 1). Since it is very unlikely that also 
a® = 1(modq), we shall almost certainly find a factor of n (namely p) from gced(a’ — 1, n). Note 
that a® does not have to be evaluated for this calculation, the value of a® (mod n) suffices. 


Example 9.4 (Part 2) 


To find a factor of n = 6709248019 we pick a random a in between 2 and n—-J and compute the 
ged of a®a=1 with n by means of the Mathematica functions Random, PowerMod, and GCD. 








a= Random[Integer, {2, n}] 
GCD[PowerMod[a, R, n] -1, n] 


S392209438d 


B1919 


It follows that p = 81919 is a factor ofn. The other factor follows from n/ p = 81799. Note that if 
g is also smooth with respect to S, we would have found n as outcome of the gcd calculation. 


We summarize Pollard's p — 1 method in the following table. 


input : integer n. 

select a smoothness parameter S. 
calculate Rfrom (9.8). 

select arandoma, 2<ac<n. 
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compute d = gcd (a® -1, n). 
1£1<d<n then d isafactorofn 
else STOP or select anew randoma 


Pollard’s p — 1 Method to Factor n 
Figure 9.1 


To make Pollard's p~— Imethod infeasible, one often chooses so-called safe primes when setting 
up the RSA system. These strong primes are primes p of the form p=2p'+1,where p'is a 
(large) prime. In this case, p ~ 1 has just one small factor. 


9.2.3 General Factorization Algorithms 


oO The Pollard-o Method 


Let p be an unknown prime factor of the integer n that we want to factor. Now look at the 
sequence ao, a), ..., defined recursively by 

ag = 1, 

43+) = a? + 1 (mod p),i2 0. 
Suppose that we have found indices uw and v with v>wand a, =a,(mod p). Then clearly 
gcd(a, — a,, n) is divisible by p and very likely this gcd is equal to p. 


Of course, p 1s not known, so we replace the above recursion relation by 


a =l, 


i+, = a? + 1 (mod n), i= 0. (9.9) 


Since p|n we will find the factor p from ged(a,-—a,,n) for the same values of u and v (the 
probability that other large factors of n divide this gcd is negligible). 


Instead of having to store all previously computed values of a;, i = 0,we use Floyd's cycle-finding 
algorithm to find an index k such that a2, = a and then we take nu =k and v=2k. The idea is 
simply that one starts with a, and az and recursively determines the pair (qj, a2;) from 


(aj-1, A2q-1))- 
The above is summarized in the following figure. 
input : integer n. 
puta=1, b=2. 
do a<« (a*+1) modn, 
be (((b* +1) modn)* +1) modn 
until d=gcd (a, b) >i 


ifd<nthen d isafactorofn 
else STOP 


Pollard’s o Method to Factor n 
Figure 9.2 
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Example 9.5 


To find a factor of n = 9032411471 with the above method we use the Mathematica functions While, 
Mod, and GCD functions. 


m= 168149075693; 
@elyjy b=2; d=G6cD(b-a, nj; 


While[d ==1, a= Mod[a*+1, nm]; 

b = Mod| (Mod [b’ +1, n))* +1, n| id=Gcp(b-a, n] | 
d 

350377 


So, 350377 is afactor of n = 168149075693. The quotient n/p is 479909, which happens to be a 
prime too, as can easily be checked with the function Primeo. 


a 

il 

He 

on 
fal 
LF 
am 
fil 
| 
| 


Primed [a] 


True 


© Random Square Factoring Methods 


This method and the next one are related to the Index-Calculus Method discussed in Subsection 
8.3.4. The reader may want to read the introduction there first, but that will not necessary for the 
understanding of the discussion here. We assume that n is a composite odd integer. 


The method consists of the following four steps. 
Step I: 


Construct the set $ ={pj, Pz, .-., pe} consisting of the first k prime numbers, so p; = 2, p2 =3, 
etc. The set 5 will be called the factor base. 


Step 2: 
Find sufficiently many pairs (a@;, b;) such that 


a? = b; (mod n) (9.10) 
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and such that b; is smooth with respect to S, i.e. b; factors completely into elements of the factor 


base S, say 
b, = = pj", with Uj jp = 0. 
Put uw; = (Uy1, U2, ..-, Uy). Pairs (a;, b;) satisfying property (9.10) can be found by trying random 


choices of a;. An alternative is to use any suitable recursion relation that generates candidates for 
a;. For instance, after trying a; = a one may want to try a; = ((a* + 1) modn). 


Step 3: 
Find a collection of 6;'s whose product is a perfect square. Quite clearly, only the parity of the u;,;'s 
matters in this condition, so let us put vj; = (u;,;mod2) and v; = (v1, 1,2, -.-. Vix). We write 


y; = u; (mod 2). 


Since any k + 1 vectors y; (all of length k) must be linearly dependent over Z>,there must be a non- 
trivial linear combination adding up to Q. Such a linear combination can be found very efficiently 
with standard methods from linear algebra. 


Let J denote the subset of {1, 2, ..., k} with }}j-7 v; =O (mod 2). Set 
x= ]lies@ and = =y =([lies By 


Step 4: 

It follows from (9.10) that x* = y*(modn), ie. n divides (x-y)(x+y). Assume that 
x + y(modn) (the probability that this happens is at least 1/2 as we shall see in a moment and as 
will be demonstrated more extensively in Subsection 9.5.1 for the case that n is the product of two 
different primes). Then x- y must be divisible by a non-trivial divisor of n. In other words, 
gcd(x — y, n) yields a non-trivial factor of n. 


If gcd(x- y,n)=n one has to try to find another perfect square, either by another linear 
dependency between the y;'s or by exchanging one of the pairs (a;, b;) for a new one. 


Consider the congruence relation x* = y* (mod n) where y 1s assumed to have a given fixed value 
that is coprime with n. Further, let p* be any factor in the prime power decomposition of n (see 
Theorem A.6). Then x? = y? (mod p*) has just two solutions, namely x = + y(mod p®).Indeed, for 
a =1 this follows from Theorem B. 15. For a> 1, we still have that p* must divide either. x — yor 
x + y, because if p|(x—- y) and p|(x+ y)then p}2 y,but p+ y(since n is odd, also p will be odd). 
We conclude that x = + y(mod p*) also when a > 1. 


It now follows directly from the Chinese Remainder Theorem (Thm. A. 19) that relation 
v= y*(modn) has 2! solutions, where / is the number of different prime numbers dividing n. 
Only two of these 2', / = 2, solutions are given by x = +y(modn), therefore, the probability that 
gcd(x — y, n) yields a non-trivial factor of n is at least (2' — 2) / 2’ >2/4=1/2. 

input : integer n. 


make factor base S={pi, «, Dx} 
find pairs (a;, b;) with 
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a; random, a?t =b; (modn), b; smooth w.r.t. Ss 


find indexset I suchthat [| z b; is aperfect square 
ié 


put x= liv ai, y= a Tier b; 


put d=gcd(x-y, n) 
ifd<nthen d isafactorofn 
elseretry with other TI 


Factoring by Random Squares 
Figure 9.3 


Example 9.6 


Suppose that we try to factor n = 1271 with the above method. We first make the factor base consisting of 
the first 8 primes by means of the Mathematica functions Table and_Prime 


S = Table[Prime[i], {i, 1, 8}] 


Se SS ee = 


Next, we use the function Random to generate a random a, 1sasn,and the function 
FactoriInteger to factor b = a’ (mod n). 

m= 1271; a = Random[Integer, {1, n}] 

b = Mod[a*, n) 


ee 


FactorInteger [(b] 
460 
614 
{{2, 1}, {307, 1}) 


Unfortunately, b = 614 is not smooth with respect to S, but after some trial and error we found the 
following nine smooth numbers (they are put in a list called a). 
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a a* mod n factors 

583 532 {{2)-2he-d?, ale 119; 17 
536 50 (f{aeek) ees a4 

1137 162 {{2,; 1}, (3, 4) } 

421 572 (9, 23. f1keok 113.°4)) 
T2i 1064 {{2, 3}, {7.1}, (19, .1}) 
1034 245 {{5, 1}. {7 2}} 

1051 102 TE Peek cre beet ge hepa hE 
107 10 (f2; Beas in 

Liil 180 Lid, 2), 745 2) ets LL) 


The exponents in the factorization of the 6;'s are given by the vectors uj that form the rows of the 
matrix U below. The vectors y; are the modulo 2 reductions of the u;'s. They form the rows of the 
matrix V below. 


For instance, b; = 532 =2?.7.19 gives u; ={2, 0, 0, 1, 0, 0, 0, 1) and y; ={0, 0, O, 1, 0, 0, O, 1}. 
These two rows are the first row of the matrices U resp. V below. We use the function 
MatrixForm to display them. 
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z 0 0 1 0 0 0 1), 
1-020 0 0 0 11] 
i4aoo00 0 0 0 
2 0°70 @O@ LT 2.0 2 
40010 0 04 
001200 0 01 
11.00.09 0 1°65] 
160610 00 0 8 
2 21°09 0b OO] 
i>? f2-o Tod oO 0-14 
loo O ODO 1] 
10 0 U DO QD oO UY 
0000110 0] 
160010 0.0 1] 
ie acd oeel 
Lio Oo: a O11: O 
101000 0 0 
io.0°2°50 0 0°00) 


To find a non-trivial linear combination of the rows of V adding up to the all-zero vector modulo 
2, we use the NullSpaceand Transpose functions. 


| NullSpace[Transpose[V], Modulus -> 2] 





110, 0, 0, 0, 0, 1, U, U, 1}, 
{0, 6, 1, 0, 0, 1, 0)-1, OF; {1, 0, 1, 0, 1, 0, 0, 0/°0}] 


We see that the first of the above linear dependencies between rows of V reflect two identical 


rows, but the third one does give an index set I that can be used, namely I = {1, 3, 5}. 


It leads to the values x =a; a3 as and y = Vb, b; bs 








x= af{1]]*a[[3]]*al(5l] 
y= (BU(2]] #bE(3}] «BL 15]))* 
| GCDo[x-y, n] 





481907217 


95 76 


41 
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We conclude that p = 41 is afactor ofn = 1271. Indeed 127] = 31 x 41. 


| m/s al 


oO Quadratic Sieve 
The complexity of this method is given by 
g1-923.. (Inn)! (In Inn)? operations. 


As with the previous methods, we shall not explain all details of this factorization technique. Let n 
be the number that we want to factor. 


To start we need a so-called factor base S$, which means that S is a list of k primes (which k primes 
will be determined later). 


Letr= vn | and let the polynomial f(x) be defined by 
fQ=(trPen=xrt2rxtre—n. 


Note that 7 <n<(r+1)*, so O<sn—-Pr <2rl <2Vn + 1. It follows that if x is small in 
absolute value, then also f(x) will be small (when compared to n). 


For x = 0, +1, +2, ... define a by a=x+ rand test b =(x+,r)*- n for smoothness with respect to 
S, 1.e. test if all prime factors of b are in S. If so, we save the pair (a, b) in a list of pairs (aj, Bj) 
with this property. 


Note that a? = (x +r)? = b; (mod n), just as in equation (9.10). 


If a prime p divides 6;, then p\(xt+r?—-n) for some known value of x. This means that 
n = (x+r)* (mod p) and thus that n is a quadratic residue (QR) mod p. This means that the only 
prime factors that will appear in the factorization of any of the 86,'s will have Jacobi symbol 
(n/ p)=\1. 


So, we let the factor basis S consist of the k smallest p;, 1< j<k, with the property that 
(n/ pj) = 1. We also add —1 and 2 to S, because theb;'s may be negative and/or even. 


Now that we know how to construct a list of pairs (a;, bj), satisfying 
a? = b; (modn), 
b; is smooth with respect to S, 
we can continue with Step 3 in the algorithm described in the previous subsubsection. 


We summarize the quadratic sieve method in the following figure. 
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input : integer n. 
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make factorbaseS = {-1, 2, pi, .., Pr} with (n/p;) =1 


find pairs (a;, b;) witha; - LV n | small, 
at = b; (modn), and b; smoothw.r.t. S$ 


find index set I suchthat ae : b; aperfect square 
Lé 


putx =|] ai, ye=./ (<7 Di) 


put d = gcd (x-y, n) 
if d<n then dad isafactorofn 
elseretrywithother I 


Quadratic Sieve Factoring Algorithm 


Figure 9.4 


We shall only give an example of the first two steps of the quadratic sieve method. 


Example 9.7 


Let n =661643. To make a factor base with 10 primes, we use the Mathematica functions While, 


Length, JacobiSymbol, Prime, and AppendTo. 


m= 661643; k = 10; 
BS={-1, 2}; i= 2; 
While(Length[88] -2<k, 
If [Jacobisymbol[n, Prime[i]] == 1, 
AppendTo(Ss, Prime[i]]]; i= i+1]; 


| 
ee ame! ee 


f-1, 2, 11, 19, 23, 31, 37, 47, 53, 59, 79, 89} 


To try out if any of f(-5), f(-4), .... f(S) is smooth with respect to S we use the functions 


TableForm, Table and FactorInteger- 


| mn = 661643; Clear([x, £]; 

| r= [vn |;m= I 

| f(x] s= (x+r)*-n; 

| TableForm| Table[ {r+i, £[4i]- 

| Factorinteger[f[i]] // OutputForm), 


{i, -m, m}]] 
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B08 8779 {{-1, 1}, (8779, 1}) 

B09 7162 ({-1, 1}, {2, 1}, (3581, 1)) 
B10 -5543 {{-1. 1}, {23, 1}, (241, 1}) 
811 4922 ({-1,:1);412, 1 a7, 1 53, 1}] 
812 2299 [({-1,° 1}, {11,2}, (19, 17) 
813 674 (boa 13. 2). 1337, 1h 
B14 953 [{95 

B15 2582 ({2, 1}, {1291, 1 

B16 4213 [(l1,°1}, (383, 

817 5846 [{2, 1}, (37, 1 79, 1 

B18 7481 [{7481, 1}} 


We see that we have only found three pairs (aj, b;), namely (811,-3922), (812, -2299), and 
(S17, 5846). 


So, we need to try a larger range of values. We leave the rest of this example as an exercise to the 
reader (see Problem 9.7). 


9.3 Some Unsafe Modes for RSA 


9.3.1. A Small Public Exponent 


We shall discuss here two particular dangers described in [Hast88] (see also [CoppFPR96]). The 
first one is the situation that more people have chosen the same (small) public exponent and that a 
sender wants to transmit the same message to all of them. The second danger is when a sender 
wants to transmit several mathematically related messages to the same receiver, who happens to 
have a small public exponent. 


Both dangers may appear farfetched to the reader, but since exponentiations modulo large numbers 
are still rather cumbersome, it remains very appealing in practical situations to select small public 
exponents. 


oO Sending the Same Message to More Receivers Who All Have the Same Small Public Exponent 


Suppose that Alice wants to send the same secret message m to Bob, Chuck, and Dennis. Let the 
public modulus of these three people be given by the numbers ng, nc,and np.Now assume that 
they all happen to have the same public exponent e = 3,The messages that Alice will transmit are 


3 (mod ng) for Bob, 


(modnc) for Chuck, (9.11) 
Cp =m’ (modnp) for Dennis. 


Cp =m 


Cc=m 
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Almost certainly the three moduli will be coprime (otherwise at least two of moduli are 
compromised in a trivial way). The eavesdropper Eve, who intercepts cg, cc, and cp can use the 
Chinese Remainder Theorem (Thm. A. 19) to determine m? (mod ng nc np) from (9.11). 


Since it can be assumed that m < min «ng, Nc, Np), alsom? <ngncnp holds. So, the above 
means that Eve in fact has found the integer m*. To compute m is now straightforward. 


Example 9.8 


Suppose that ng =137703491, nc = 144660611, and np = 149897933. Let the three intercepted messages 
be given by cg = 124100785, cc = 85594143, and cp = 148609330. 


To solve the system of linear congruence relations 
m = cp (mod npg); m?’ =cc(mod nc); m’? = cp (mod np), 


with known right hand sides and known moduli, we use the Mathematica function 
ChineseRemainderTheorem. To this end we first have to load the package 


NumberTheory ‘NumberTheoryFunctions . 


| <<MNumberTheory’ NumberTheoryFunctions~ 


| 


mB = 137703491; nc = 144660611; nD = 149897933; 
| ©B = 124100785; ct = 65594143; €D = 148609330; 
mCubed = ChineseRemainderThecrem[{cB, cC, cD}, {nB, nc, nD}] 


ee! 


LEB1S635253960082119139161 


We conclude that m? = 1881563525396008211918161 (mod ng nc np). Since m* <ngncnp, we 
even have 


m? = 1881563525396008211918161. 
To find m is now easy. 
| : 
| m= (mCubed)?*"? | 


a 45 WE 


That this outcome is correct can easily be checked by means of the Mod_ function. 
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Mod[m’*, nB] == cB 
Mod[m*, nC] == cc 
Mod[m*, nD] == cD 


True 
True 


True 


O Sending Related Messages to a Receiver with Small Public Exponent 


Alice wants to send two secret messages, say m, and m2 to Bob, who happens to have a public 
exponent é, that is rather small. Let ng be Bob's modulus. Now, assume that the two messages of 
Alice are related in a linear way, say m2 = a.m, + b,where a and b are in Z,,,and assume further 
that eavesdropper Eve knows this linear relation. 


Coppersmith et al. [CoppFPR96] describe two surprising methods for Eve to recover the plaintext 
m. 


Direct Method 
We shall first describe this method for the case e = 3. 


Let the encryptions of m, and my be denoted by cj), resp. ¢2.S0, cy =m} (mod ng)and 
C2 = (a.m, +b)’ (mod ng). Then 
b(cz +2a%c,;-b*) — 3a° bm} + 3a? b* mj +3 ab’ m, 


Bike Le, a Pa = m, (mod ng). 9.12 
a(cz - a* cy + 2b3) 3 a3 bmi + 3 a2 b? m, + 3 ab? if B) (9.12) 


With the Mathematica function Simplify one can verify these calculations as follows 


| Clear|a, B, cl, c#, ml, mz]; 
| simplify| 
b (c2+2 a’ cl -b*) 


——————————— //. {cl -> ml?, c2 -> (asm +b)*)] 
a (c2-a’? cl+ 2b?) 


A particular simple case is given by my = mand mz = m+ 1,1.e. a = b= 1.Then (9.12) reduces to 


(m+1+2m3-1 — 3m°+3m?+3m 


pe ee = d 
(ne 1 ned anes 
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Example 9.9 


Suppose that ng = 477310661 and that the messages m,; and mz are related by m2 = 3m; +5 (mod ng). So, 
a =3 andb =5. Letc; = 477310661 and cz = 5908795. Then m; can be computed with the Mathematica 
functions Mod and Solve as follows 


Clear[cl, c2, f, g, ml, mz, a, b]s 
n = 477310661; 

el = 5908795; c2 = 374480016; 

a=3; b= 5; 

f = Mod [b (c2 +2 a’ c1-b*), nj); 

g = Mod[a (c2 -a* cl+2b"), nj]; 
Solve[{f ==geml, Modulus <= n}, mi] 





{ {Modulus 3 477310661, ml + 321321321} } 


So, we have found m; = 321321321. That this is indeed the solution can be verified quite easily as 
follows 


#e 321321321; 

m2 = Mod[3«ml1+5, nj 
PowerMod[ml, 3, n] ==cl1 
PowerMod (m2, 3, n] ==c¢2 


| 
. 
seer 0S Ma. 3 eee eae 


oe 


9342646 
True 


True 


Ifa = b= 1 and eg > 3, a method like the above still exists. In fact, it can be shown [CoppFPR96] 
that polynomials P(m) and Q(m) exist such that each of them can be expressed as rational 
polynomials in cy = m* (mod ng) and cz = (m + 1)° (mod ng) and such that Q(m) = m.P(m). For 
€, = 5 these polynomials are given by 

P(m) = 63 +2, 8 —4c3.c7 +8 — 265 +90, 02 +8 +0. -2¢), 


Q(m) = 9c, 3 -9c?. 


Again, one can check this with 
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| Clear[cli, c2, mj]; 

| P22? 42014027 - 401702401) - 2027+ 

| Sclec2d +8 cl? +02 -2c1; QO = 9cels«c2?-9c1'; 
| Expand |(P //. {cl -> m, c2 -> (m + 1)7}] 

| Expand(Q //. {cl ->m’, c2 -> (m+1)?}] 


simplity|— /f. {e1 -> m’, o2 -> (m+1)*}] 


To find such a solution, write P = Quis jee Di.j Cc, c| and QO = Dis jee i,j Ch c| .Next, substitute 
C2 = (m + 1) and cy = m® in P and Q to obtain two polynomials in m of degree ( <= e)*. Now, 
equate the coefficients of m in Q(m) = m.P(m). This gives 2((e+ 1) +et+...+2+])= 

e+2 
2( ; 
solution space. 


= (e + 2) (e + 1) linear equations in the coefficients of P and Q. So, there is in fact a large 


Since the number of terms in P(m) and Q(m) grows quadratic in e the above approach will still be 
rather cumbersome for larger values of e. 


Method through GCD calculation 


For arbitrary values of e there is a more direct way to determine m, and my from c, and c2, when 
they satisfy a polynomial relation that 1s known to the eavesdropper. Suppose that 

mz = f(m,) (mod ng). The idea is to compute the gcd of z° ~ ec; and (f(z))* — cz. Indeed, since my 
is a zero of both polynomials, it follows that both are divisible by z—- m,.As a consequence, also 
the gcd will contain this factor. Almost certainly the gcd will not contain any other factors. 


We shall demonstrate this idea with an example. 


Example 9.10 


Let eg = 5, ng = 466883. Further suppose that the message m; and mzare related by mz = 2m); + 3and 
that they are encrypted into c; = 66575, resp. c2 = 387933. We want to compute 

gcd(z> — 66575, (22+ 3) ~ 387933) mod 466883. In general, this can not be done since ng is not prime. 
Also Mathematica can not do this directly. We shall simplyfollow the polynomial version of Euclid's 
Algorithm step for step. Problems may arise, when numbers appear that are not coprime with n. This 
happens rarely and is not bad at all. Indeed, one almost always finds in this way a non-trivial factor ofn, 
so the system will be broken! 
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In the first step we calculate fy; =(2z +3)' — 387933 and fy = 2 —66575and then divide fiby fy. We use 
the Mathematica functions PolynomialMod and Expand. 






eee eee a ey 


n= 4668683; | 
cl = 66575); c2 = 387933; | 
f1 = Expand[ (2 z+3)5- 2] | 
f2=2z°-cl 

£3 = PolynomialMod[fi1- 32 £2, n] 


=~ 387690 + 8102-1080 2? +720 23+ 240 24432 25 
-6657542° 
342061 + 810241080 2° +720 21 + 240 =" 


To keep the division process more manageable, we normalize f3;by multiplying it with the 
multiplicative inverse ofits leading coefficient (mod ng). We use the Mathematica function 


PowerMod. 


 InverseLeadCoeff = PowerMod[240, -1, n] 
£3 = PolynomialMod [InverseLeadCoeff + £3, n] 





258731 
376877 + 408526 z+ 233446 2° +39 27 + z’ 


We continue with this division process until f, = Ofor some k. The gcd will be given by fx. 


£4 = PolynomialMod [f2 - £3 « (z+ 466880), nj 





130290 + 381818 z+ 291812 z* + 233446 2? 


InverseLeadCosff = PowerMod (233446, -1, n] 
£4 = PolynomialMod [InverseLeadCoeffs« fd, n] 











LO37S2 
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184581 + 292352 z+ 116723 z* +2 





349909 


397084 + 98465 24+ 27 





132235 


46634042 





We conclude that k = 7 and that 
gcd(z’ — 66575, (2z +3) — 387933) =z + 466340 = z — 543 (mod 466883). 


Therefore, the secret message m is 543. One can check this with the Mathematica function 
PowerMod. 
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me- 543; 
PowerMod|(m, 5, mj] ==e¢cl 
PowerMod(2m+3, 5, n) ==c¢2 


True 


The above approach of finding m by computing a gcd is still practical for e up to 32 bits long 
([CoppFPR96]). 


9.3.2 A Small Secret Exponent; Wiener's Attack 


Wiener [Wien90] shows that it is unsafe to use the RSA system with a small secret exponent d, 
where "small" means something like Vn. This observation is of importance, because often one is 
inclined to reduce the work load of the exponentiation, by choosing a small exponent. For 
instance, if a smart card is used to sign messages (see Subsection 9.1.3), it will have to compute 
exponentiations c? (mod n). If the card has limited computing power, a relatively small value of d 
(of course not so small that d can be found by exhaustive search) would be handy. 


We first show that we can replace (9.4) by the slightly stronger relation 
e.d = 1(modIcm(p - 1, g- 1), 


where Icm denote the least common multiple. We remark that p — 1 and g — 1 both divide @(n) and 
so does Ilem(p —- 1, g- 1). Now note that for a correct functioning of the RSA system, one only 
needs that e.d = 1 (mod p— 1) and e.d = 1(modgq -— 1). The reason is that these two congruences 
are sufficient to prove that (9.5) and (9.6) hold modulo p resp. modulo g. From the Chinese 
Remainder Theorem it then follows that (9.5) and (9.6) also hold modulo n. We conclude that it is 
sufficient that e.d = 1 (mod lem(p — 1, g- 1)). 


The subsequent cryptanalysis will deal with this most general case. It is the cryptanalist's aim to 
find d satisfying this relation (and also p and q). The above congruence can be rewritten as 


ed=1+K.\em(p-1,qg-1)=1+%(p-1)(@-1), 


where G = ged(p- 1, q- 1). If K and G have a factor in common, the above relation may be 
further simplified to 


ed=| ape 1)(q- 1), with gcd(k, g) = 1. (9.13) 
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One should realize that often G (and thus also g) will be very small. In a typical RSA system, p 
and q will be safe primes, meaning that p- 1 =2. p' and g- 1 =2.q', with p' and q' prime. So, in 
this case G = 2 and g = 1 or 2. 


Let us rewrite (9.13) by dividing both hands by d.n ( =d.p.g and rearranging the terms: 


k I { I l 
Se ee) (9.14) 


he 
d.g 
What we like to show is that k/(d.g) is a convergent of the continued fraction of the known 
rational e/n. Since these continued fractions are easy to compute, it is then possible to find the 


secret exponent d (and k and g). 


Theorem 9.2 

Assume that p~g~Wn, e~n,and 29 <d. 

Then & ~(g.7) and the numbers d,&k, ¢, p, and g can be found from the continued 
fraction of ¢/n for secret exponents d up to n!"*, 


Remark 1: 


We shall be a little sloppy with the use of the ~ symbol. What we mean with a ~ Db is something 
like "a and b have the same order of magnitude”. 


Remark 2: 


We already discussed the likelihood that g is small. Ifd is selected as a small integer, the value of 
e will be like that of a random number in the range {1, 2, ..., lem(p— 1, q-—1)},so also the 
assumption e ~n 1s very reasonable. The same holds for p~q~ Vn (see the discussion around 
Example 9.2). 


Remark 3: 


Relation (9.14) implies that ae > = therefore, it suffices to check only the odd convergents of 


e/n. 


Proof of Theorem 9.2: 


Ife ~ n then k ~ g.d by (9.14), since the other terms there all tend to zero. It further follows from 
(9.14) that 


ea sie| AL (Lebo) testes tLe d) 


Since 2 ¢.d < d* <n'/, we conclude that 


| k e | l 


——— ii ee 


= ————s; 
dg n Vn 2d)? 


It follows from Theorem A.35 that the rational number k/(d.g) will appear as a convergent in the 
continued fraction of e/n. Since gced(k, g)=1 and since (9.13) also implies that ged(A, d) = 1, it 
follows from Corollary A.32 that k and d.g will be obtained from one of the convergents. Because 
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g is very small, we can find g and d with a small trial and error effort. 


From (9.13) one can now compute (p — 1)(g—- 1) and since p.g is known, one can also find the 
factorization of n into p and gq. 


Example 9.11 


Consider n = 9998000099 and e =6203014673. Let us compute the successive convergents of e/n. We first 
load the Mathematica package Number Theory ‘ContinuedFractions* and then we can use the 
functions ContinuedFraction and Normal. 


it 


’ i ae : . yes ae ad =] : a pp 1 ; “iad } ee 
ry *. a, — Uh 
: ‘<<thumberThe: we 5 fe. re — agh ape = Ppa nah 


ei eee Oh Pe a ere ae ehh et or eres 





de rT. 


lun 


Let us check why the last one does not lead to d (the other cases are even simpler). Writing 
18/29 =k/(d.g) leads to k = 18, g =1, and d = 29. An easy argument to show that this is not the 


right value ofd is an encryption followed by a decryption, not resulting into the original message. 
We use thefunction PowerMod. 
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Let us try the next convergent. 





Writing 85/137 =k/(d.g) leads to k =85, g=I1, and d=137. From (9.13) we. get 
(p —1)(q -—1) = 9993745862. 





S9S7800120 


Together with n = p.q = 9998000099 we get p+q-—l=p.q-(p-I(q-he= 





199979 


So, p and q are the roots of(x — p)(x-q@) = x” — 199980 x + 9998000099. They can be found with 
the function Solve 





{f+ 99989}, (x + 99991}) 


Indeed, 99989 x 9999] =n. 
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9.3.3. Some Physical Attacks 


Clearly physical attacks on cryptographic implementations are beyond the scope of this 
introduction. Nevertheless, two such attacks will be mentioned briefly, because of their relation to 
theory that we have explained here. 


o Timing Attack 


Suppose that RSA is implemented on a hardware device (like a smartcard), and that the secret 
exponentiation (m — (m4? modn) or c > (c4# modn)) in the RSA process follows a computational 
scheme of the type explained in Subsection 8.1.1, 1. any method that consists of repeated 
squarings and/or multiplications. See for instance Example 8.1.3. 


It is further assumed in this attack (see [Koch96]) that an observer can measure the electro- 
magnetic radiation or power consumption of the device and can clock the length of the various 
calculations. Typically, a multiplication takes longer than a simple squaring operation. 


In this way, the attacker can determine the particular sequence of squarings and multiplications 
that the program went through. Based on the outcome, he can simply compute the secret exponent 
d stored on the card. 


For instance, if the measurements give Sq.Sq.M.Sq.Sq.M.Sq.Sq.M.Sq.M, where Sq stands for 
Squaring and M for Multiplying, we get the exponent from 


Clear[a]; 


(Corea! a)’) )+)) BES, 


yt 


oO The ''Microwave" Attack 


Suppose again that RSA is implemented on a hardware device (say a smartcard), but now assume 
that the secret exponentiation (m —> (m4? modn)or c > (c4 modn))in the RSA process makes use 
of the Chinese Remainder Theorem (Thm. A. 19). See for instance Example 9.1, Part 4. So, we 
assume that two independent exponentiations take place on this device: one modulo p and one 
modulo g, where n = p.q. 


Now suppose that this RSA implementation is used to sign data (this is the simplest version of the 
attack, cfr. [LensA96] and [BoDML97]). So, typically, the attacker presents a message m to the 
smart card and would normally expect c= (m? modn) back. However, the attacker submits the 
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smart card, when it is making its calculations, to the right kind of radiation ("just put it in a 
microwave" is an oversimplification of this attack) and hopes that in one of the two 
exponentiations an incorrect calculation will be made. 


For instance, the smart cardcalculates c) = (m4 mod p) correctly, but gets a wrong value for c2, i.e. 
c)' + (m4 mod q). The reader should remember that in the smart card values a and b are stored 
satisfying 


fagl mod 
0 moc 


a] OM 


. 2 


bei mod 
Lbel moc 


Q 


So, the card will output c'=(a.c} + b.cpz’modn). Now note that since b=O(mod p) and 
a = 0(mod q) 

c¢—c'=a.c, —a.c; = 0(mod p), 

c—c' = b.cz — b.cy' = b(c2 ~— c2') = O (mod q). 
It follows that gced(c — c', n) gives a non-trivial factorization of n. 


It depends on the application whether the attacker can let the card give the correct value of c too, 
for instance by having the card sign m again without introducing any radiation). A way around this 
problem is to let the attacker select a message c, compute m = (c* modn) with the public exponent 
e and submit m when attacking the card. In this way, the correct value of c is already known 
beforehand. 


Example 9.1 (Part 6) 


We continue with the parameters of Example 9.1, so pg =9733, qg =10177, ng=9905274 1], 
ep = 81119923, and dg = 17089915. 


Further, a = 45287650 and b = 53765092 (see Ex. 9.1, Part 4). 
When, m = 12345678, the correct value of c is given by 


n= 99052741; @ = 81119923; 
¢= 11111111; 
m= PowerMod(c, «, n] 


wees eee ey 


20307114 


So, when signing m = 24307114 the card should produce c = 11111111. 


In his calculations the card computes numbers c; and cz and gets c asfollows: 


182 


p= 5733; q= 10177; 










mi = Mod[m, p]; m2 = Mod[m, q]; 
a= 45267650; b = 53765092; 

cl = PowerMod[ml1, dl, p]; 

c2 = PowerMod[m2, d2, q]; 

ec = Mod/a*ecl+bec2, n] 


17111111 
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d = 17089915; dl = Mod[d, p-1)]; 42 = Med[d, q-1]; 


However, when c; is calculated incorrectly due to radiation, say c;' = 8765, the card will produce 


an incorrect value c' for ¢ = 11111111 and the gcd of the difference of these two numbers with n 


will yield a factor of n. 


elPrime = 8765; 
cPr = Mod[asclPrime+bsc2, n) 


$2608527 


LOL? 


The number 10177 is indeed one of the twofactors of n. 


9.4 


9.4.1 


How to Generate Large Prime Numbers; Some Primality Tests 


Trying Random Numbers 


To make the RSA system practical, one needs an efficient way to generate very long prime 


numbers. The following pseudo-algorithm describes a probabilistic way of how this can be done. 


Algorithm 9.3 Method to generate an /-digits long prime number 


Biep |: Write down a random, odd integer w of f digits long. 


Step 2: Test the candidate u for primality. 


If v is not prime, go back to Step 1, otherwise STOP. 
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In the next two paragraphs we shall discuss several ways to test an integer u for primality. The first 
two tests do not give an absolute guarantee that u is prime, but the probability that a composite 
number u meets the test can be made arbitrary small. The second test (of which only an outline 
will be given in Section 9.3.3) can guarantee the primality, but it 1s much slower. For other tests 
we refer the reader to [Knut81], Section 4.5.4. 


Example 9.12 


In Mathematica one can use the functions Random, PrimeO, and While to simulate the above 





algorithm. Note that the parity ofu is not tested below (this is not an essential part of the above algorithm 


anyway). 
ueilyl1 = 3) | 


att = 0; 
While [PrimeQ[u] == False, att = att +1; 

u = Random[Integer, {10'-*, 10*}]]; 
Print ["prime number ia ", u] 
Print[att, " attempt (a)"] 





prime number is 907 


7 attempt (s) 


How often does one expect to have to go through Steps | and 2 in the above "algorithm" before 
obtaining a prime? To answer this question we have to know the fraction of the prime numbers in 
the set of odd, /-digit numbers. To this end we quote the Prime Number Theorem (Th. A.2). 


Theorem 9.4 
Let (a) count the number of primes less than or equal to x (see Definition A.1). Then 


. ms) 





With the Prime Number Theorem one can quite easily obtain an approximation of the fraction of 
odd, /-digit numbers that are prime. One gets 





10! 10/7! 
m(1o')-n(to"!) PNT. Tig inig=l _ _2(9/-10) 2 
(10!-10/-1)/2 ex (dol-10/!y2 97. 2.d=-1).In10 ™ Zn 10 


For instance, with J = 100, one gets 


1 = 100; 

EstimateProb[1_]j = 
2(9#1-10) / (9*1« (1-1) «Log[10]); 

N(EstimateProb[100], 3] 
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0.00868 


prime generation algorithm above will be 115. 


9.4.2 Probabilistic Primality Tests 


O The Solovay and Strassen Primality Test 


Let p be a prime number. We recall from Definition A.9 that an integer uw with p+ u (read: p does 
not divide u), 1s called a quadratic residue (QR) modulo p, if the equation 
x* = u(mod p), 


has an integer solution. If p+u and this congruence relation does not have an integer solution, u 
will be called a quadratic non-residue modulo p (NQR). The well known Legendre symbol (u/p) 
(see Definition A. 10) is defined by 


+] if wis a quadratic residue mod p, 
(*) ={-| if wis a quadratic nonresidue mod p, 
0 if p divides u. 


The Jacobi symbol () (see Definition A. 11) generalizes the Legendre symbol to all odd integers 
m. Let m = II; (p,;)*' where the p,'s are (not necessarily distinct) odd primes. Then, (—) is defined 
by 

Gs an 1 a 
In Section A.4, the reader can find all kinds of properties of the Legendre symbol and the Jacobi 
symbol. These properties culminate in an extremely efficient algorithm to compute the values of 


these symbols. An example can be found there. In Mathematica, both symbols can be computed 
with the JacobiSvmbol function: 





As a matter of fact, since m in the example above, is a prime number, it is quite easy to compute a 
"square-root" of u. For a discussion of how this can be done, we refer the reader to Section 9.5. In 
Mathematica one can simply use the Solve function. 
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Clear[x]; 
Solve[{x* == 12703, Modulus == 16361), x] 





{{Modulus + 16361, x+ 7008}, {Modulus + 16361, x ~ 9353)) 


Indeed, (+7008)? = 12703 (mod 16361), as can be checked with the PowerMod function. 


| PowerMod (7008, 2, 16361] 


12703 


To find a solution of the equation .x* = u(modm) for composite integers m is, in general, a very 
difficult problem and intractable for large values of m (see [Pera86] for a discussion of this 
problem). 


If m is the product of different primes and this factorization is known (!), one can find the square 
root of u by finding the square root of u modulo all the prime factors of m and then combine the 
result by means of the Chinese Remainder Theorem. In Section 9.5, this method will be 
demonstrated. When m has higher prime powers in its factorization, matters get much more 


complicated. 


Let p be a prime number, p > 2. We recall from Theorem A.23 that for all integers wu: 
GS) = ulP-YI2 (mod p). (9.15) 


The Solovay and Strassen Algorithm [SolS77] relies on the following theorem. 


Theorem 9.5 
Let m be an odd integer and let G be defined by 


G={0<u<m| ged{u, m) =1and(+)=u"-"? (mod m)} 


Then 
\G|/=m-—-!] if m is prime. (9.16) 
|G] s@m—1)/2 if m is not a prime, (9.17) 


Proof: If m is prime, every integer O0<u<~m satisfies (9.15), and has gcd 1 with m, so 
|G|=m- 1 inthis case. 
So, we now consider the case that m is not a prime number. Clearly, G is a subgroup of the 


multiplicative group 
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2. ={O0su<m | ged(u, m) = 1). 


It follows (from Theorem B.5) that the cardinality of G divides that of Z7,.So, if G# Z*, we can 
conclude that |G| < |Z*,| /2=y(m)/2 <(m-1)/2.This would prove the theorem. We 
conclude, that it suffices to prove the existence of an element wu in Z;, with (— Hy) # ul"? (mod m). 


We distinguish two cases. In [SolS77], the authors omit to consider the case that m 1s a square. In 
the proof below, which is due to J.W. Nienhuys (private communication), Case 1 will cover this 
possibility. 


Case 1: The number m is divisible by at least the square of some prime number. We write m= p’.s 
with p an odd prime, r = 2, and gced(p, s) = 1. 
Let u be a solution of the system simultaneous congruence relations: 
u=1+ p(mod p’), (9.18) 
u = 1{mods). (9.19) 


By the Chinese Remainder Theorem (Thm. A. 19) such a solution u exists and is unique modulo m. 
Clearly, gcd(u, p’) = gcd(u, s) = 1, so gcd(u, m) = |,ie. ue Z>.. 


It follows from (9.18), the binomial theorem, and an argument similar to the proof of Theorem 
B.26 that 4” =(1 + py)” = 1 (med p’). By (9.19) we also have that wv” = 1 (mods). By the Chinese 
Remainder Theorem we now have that wv” = | (mod m). 


Since u # 1(modm) by (9.18), it also follows that w™-' # 1(modm). This in turn implies that 
u™-12 % + | (modi), which implies that u can not satisfy (9.15). We conclude that this element u 
is amember of Z?,, but not of G. 


Case 2: m is the product of s distinct prime numbers, say m= p, po... ps, with s 2 2. 


Let a be a quadratic non-residue modulo p,. By the Chinese Remainder Theorem there is a unique 
integer u modulo m satisfying the system simultaneous congruence relations 


“= a(mod p,), (9.20) 
u=1(modp,),2siss. (9.21) 


Clearly, gcd(u, p;) = 1 for 1 si <s,so ue Z*.To show that u ¢ G,we need to show that (9.15) 
does not hold. 
Since u = 1(mod p;), 2 sis-s, it follows that (= } = 1 for these indices. But Ce i. -) = = { 


Ps 
because a is NQR. From the definition of the Jacobi symbol (Def. A.I 1) it follows ‘thai Ges 
In particular this implies that (-) = —1(mod p;)for any 2<i<s. 


)= 
oak 


On the other hand, (9.21) implies that u’"- = 1 (mod p;)forany 2 <i <.s.Hence 
(ufm) # u’"—? (mod p,) 


for any i, 2 <7 <5, and a fortiori (9.15) does not hold. 
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We can now describe the Solovay and Strassen Algorithm. 





In the algorithm above, k can be any positive integer. The probability that k independently and 
randomly selected elements wu will pass the two tests, given in Algorithm 9.6, while m is not prime, 
is less than or equal to 2“* by Theorem 9.5. By taking k sufficiently large, the probability that a 
non-prime number survives the above algorithm can be made arbitrary small. 


See however the Miller-Rabin test in the next subsubsection, where we have 4~* as probability that 
a composite number is not detected after k tests. 
Example 9.13 


To test ifthe oddnumber m = 1234563 is prime we use the Mathematicafunctions GCD, Jacobi Symbol, 
PowerMod, and Mod: 








False 


The reader is invited to test m = 104729 for primality. 


o Miller-Rabin Test 


The Miller-Rabin test [Mull76], [RabiSOa] is based on the fact (see Theorem B.14) that the 
equation x* = 1 (mod p) has only two solutions: x = +1 (mod p). 


So, let m be an odd integer that we want to test for primality. Assuming for a moment that m is in 
fact prime, we have by Fermat's Theorem (Thm. A.15) that any integer a with gced(a, m) = 1 
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satisfies a’”~' = 1 (mod m). 


Since m—1 is even, it follows that a@-)/* =+1(modm). If a-* happens to be +1 and 
(m-1)/2 is even, we can repeat the argument, so in this case we conclude that 
a'™-'/4 = +1 (mod m), etc. In this way, one can prove the following lemma. 


Lemma 9.7 

Let p be a prime and write p-1=a.2', with a odd. Let w be an integer in between | 
and p— 1. Then 

either wf” = 1 (mod p) 

or uw = =| (mod p) for some 0 <i < f. 


To test an odd integer m for primality we proceed as follows. First we write m-1=a.2/,witha 
odd. Next we pick a random integer u, 2<u<m, and compute from left to right 
uf, ut... uf 2! As soon as one of these numbers is not in {-—1, 1}, while the next one is +1,or 
if ue?! #1 (mod m) we may conclude that m is composite and we can stop. 


We repeat the test k times, where k 1s a security parameter, that will be discussed in a moment. 


Let m be an integer and let u be such that wu?’ = 1(modm), j 21, while u? ae as | (mod m). 
Then u is called a strong witness to the compositeness of m. It gives a proof that m is composite. 


On the other hand, let m be composite and let u be an integer that satisfies u* = 1 (mod m) or 
u2?’ = —1(modm) for some 0 < j < f — 1, then this w is called a strong liar (to the primality) of 


mM. 


For an efficient primality test we want composite numbers to have as few strong liars as possible. 


Algorithm 9.8 Miller-Rabin primality test 
input = odd integer m (candidate) 
security parameter & 
initialize prime=True; i=1; 
write m— 1 =a.2/, a odd, 
while prime and ij = k do 
hezin 
select a random integer u, 1 <u < m— 1; 
compute x = (a? mod rz) 
if « # +1 (mod m) then 
begin put j= 1 
while x # +1 (mod m) and j= f—1 
begin x © (2° mod m) 
ifx e 1 (mod m) then priime=False 
je j+l 
end 
if x = —1 (mod a) then prime=False 
end 
f=(+1; - 
end 
output prime 
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Example 9.14 


Let m = 7933. Then m —1 = 1983.2. Let us pick a random u and compute u! 983.2! for i=0, I, 2. We use 
the Mathematica functions While and EvenO to write m-TI as a.2/ and use Random, PowerMod, 


Print,and Do forthe actual test. 





(1983, 2} 


4225 


1932 
1 
1 
We see that no matter how often we run this, we shall always get (+1, +1, +1) or (-1, #1, +1), 


or (x, -I, #4). 


Example 9.15 


Let m = 429. A strong witness of the compositeness ofm is given by the choice u = 34, as we can see below. 
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m= 425; 
f = 0; a = m-1; While[EvenQ[a), F=f+1pasa/2)s 
{a, £} 

us 34 

x = PowerMod/(u, a, m]; 

Do[{Print[x], x = Mod[x*, m]}, {i, 0, £}] 





£107, 2} 


What remains to be done is to give an estimate of the fraction of strong lars modulo a composite 
number. The next theorem says that this fraction is at most 1/4. This means that the probability 
that a composite number will not be detected after k runs of the Miller-Rabin test is at most 
(1/4)*. This compares very favorably with the Solovay and Strassen primality test where this 
probability can only be upperbounded by (1 /2)*. 


Theorem 9.9 

Let m be a composite number, m #9, Then the number of strong liars in between | and 
m — | is al most g(m)/4, where y denotes Euler's toteent function. 

In other words: the probability that after & runs Algorithm 9.8 has not established the 
compositeness of a non-prime m is at most 4~*, 


The proof of Theorem 9.8 (see [Moni80] or [Rabi80a]) is very technical and does not give further 
insight to the reader of this introduction. 


If m = 9, ym) /4 will be 6/4, which is less than the two "strong liars" -—Jand +1. 


9.4.3. A Deterministic Primality Test 


Primality tests that prove in a deterministic way that a certain is prime or not are of course much 
slower than probabilistic algorithms of the type discussed in the previous subsection. 


We shall now explain the idea behind the deterministic primality test of H. Cohen and H.W. 
Lenstra jr. [CohL82]. This test is an improvement of [AdPR83]. We shall not give a complete 
description of this test. That would involve too much advanced and deep number theory. We 
closely follow the excellent introductory article by Lenstra [LensH83]. 
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We start by quoting Fermat's Theorem (Thm. A. 15). 


Theorem 9.10 Fermat 
Let m be a prime number and let a be any integer. Then 


a” = a (mod mr), (9.22) 


Let m be an integer that we want to test for primality. A single integer a that does not satisfy 
(9.22), proves that m is not a prime number. 


Unfortunately, the opposite is not true. For instance, m = 561 satisfies (9.22), while 


m=3x11x17. To see this we first compute Iem(y(3), y(11), g17)) 
eer Icm(2, 10, 16) = 80. Let a be coprime with 561. It follows from Euler's Theorem (Thm. 
A. 14) that a®° is congruent to 1 modulo each of the three prime divisors of 561. The Chinese 
Remainder Theorem (Thm. A.19) now’ implies that a®®=1(mod561). Hence, 


a®®! = a(a)’ = a (mod 561). 
For the values of a that have a factor in common with 561, (9.22) can be proved in a similar way. 


The reader may want to verify the above with the Mathematica functions Factor Integer and 
PowerMod : 
Me S61; Factorinteger(m] 
a= 543; 
PowerMod/[a, m, ™] ==a4 





Trueé 
Composite integers m with the property that a”~' = 1(modm), for all a with ged(a, m) = 1, are 
commonly called Carmichael numbers. 


The converse of a slightly stronger statement than Theorem 9.10 does hold however. In the sequel, 
(a/ m)denotes, as usual, the Jacobi symbol. 


Theorem 9.11 
An odd integer m ts prime if and only if for all integers a 


ecd(a, an) 1] om gl! = (g/m) (mod me) 


Proof: That the relation above holds for prime numbers was already remarked on in (9.15). The 
converse was first proved by Lehmer [Lehm76], but it also follows directly Theorem 9.5. 
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The above theorem is of course not a very efficient primality test for numbers that are more than 
100 digits long. Lenstra offers the following "attractive" alternative. 


Theorem 9.12 
An odd integer m is prime if and only tf every divisor d of mis a power of m. 


Proof: This statement is completely trivial, since d = | = m° and d = m =m! are the only divisors 
of a prime number m. All other numbers in between | and m can not be written as power of m. 


[| 


Clearly it is not this theorem that we want to use as a primality test, but a variation of it does turn 
out to be very powerful. We shall show that under certain conditions every divisor of m looks a 
little bit like a power of m. 


Theorem 9.13 
Let m be an integer m that is coprime with 6, Assume further that 


(afm) ="? (mod m) for w= -1, 2, and 3, (9.23) 
a’™-1¥2 = —] (mod m) for some integer a. (9.24) 


| Then, for each d@ dividing mi 
d = m! (mod 24) for some non-negative integer. (9.25) 
| In fact, (9.19) can be strengthened to 


d = mt! (mod 24) for 7 = 0ar 1, (9,26) 


Condition (9.24) can not be omitted in the theorem above. Indeed, m = 1729 = 7x 13x19 does 
satisfy (9.23), but does not satisfy (9.25). Note that m = | (mod 24), therefore, no power of m will 
ever be equal to one of the prime divisors of m. 


All these statements can be checked with the Mathematica functions Factor Integer, 
JacobSymbol, PowerMod, and Mod: 
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m=1729; FactorInteger([m] 
Mod[m, 24] “ds | 
Mod [JacobiSymbol[-1, m] - FowerMod[-1, (m-1) /2, m], m) ==0 
Mod [JacobiSymbol[2, m] - PowerMod[(2, (m-1) /2, m), m] ==0 
: Mod [JacobisSymbol[3, m] - PowerMod[3, (m-1)/2, m], m) ==0 


Le 





{{7. 1}. (13, 1}, {19, 1} } 


True 
True 


Trué 


Before we prove Theorem 9.13, we shall illustrate how it can be used to test the primality of 
integers m, 24 < m < 24*. After the proof we shall discuss generalizations of Theorem 9.13, that 
yield efficient primality tests for larger values of m. 


Algorithm 9.14 (Cohen and Lenstra limited primality test) 

input m, 24 <m < 247, 
| initialize prime=True, 
test 1: if gcd(m, 6) # | then prime=False 
test 2: if(ujm) ee" (modm) fora =—1,2, or3 
then prime=False 
test 3: find an integer a with a!"—-!¥? = —1 (mod mm); 
if no such integer a exists then prime=False 

test 4: compute d = (mm nod 24). 


if d > | and df | m then prime=False 
outpul prime 


Proof: The first matter to be addressed is Test 3. If m is prime, the probability that a random 
1<a<m satisfies (9.24) is 1/2 by Theorem A.23 and Theorem A.20. So, in two tries one can 
expect to find an integer a satisfying (9.24). Ifno such integer a exists, m is not prime. 


More can be said about this step. Assuming the Extended Riemann Hypothesis one can even prove 
that (9.24) has asolution a, 1 <a < 2 (log m)’, if m is prime. (See also [Pera86].) 


If m meets the first three tests, we know from Theorem 9.13 that each divisor d of m must be 
congruent to 1 orm modulo 24. Since m < 24*,we may assume that d < 24 (otherwise consider 
n/d instead of d). It follows that d 1s in fact egual to 1 or to (m mod 24). 
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The possibility that d = (mmod 24), d > 1, is ruled out by Test 4. It follows that this divisor d 
must be equal to 1. We conclude that m is prime. 


L] 


To be able to prove Theorem 9.13 we need the following lemmas. The first gives a necessary and 
sufficient condition for two integers m, and m2, both having gcd | with 6, to be congruent to each 
other modulo 24. 


Lemma 9.15 
Let m, and mt be two integers, both coprime with 6. Then 


mm) @ mt (mod 24) > (afm) = (u/ mt) fora = —1, 2, and 3. 


Proof: There are eight integers m, | < m < 24, that are coprime with 6, namely 1. 5, 7, 11, 13, 17, 
19 and 23. For each of these values m we calculate the values (4/7) for uw = —1, 2, and 3 by means 
of Corollary A.24, Theorem A.25, resp. Theorem A.27 or with the Mathematica functions 
JacobSymbol, which can be applied at once to a whole list of numbers. 

m= {1, 5, 7, 11, 13, 17, 19, 23}; 

Jacobisymbol[-1, m] 

Jacobi8ymbol([2, m] 

JacobiSymbel[3, m] 


& Fe -L, 1, 1, 1, -1, 1) 


It is easy to verify that the matrix with these three vectors as rows has the property that all columns 
are different. This shows that the three values (u/m), u=-—-1,2, 3, uniquely define m from 
Op Ses ra ae I reas Us Pa bf ah be Fa 28 9 


LJ 


For example, by looking at the second column, we see that m=5 is uniquely defined in 
{1,5,7, 11, 13, 17, 19, 23} by the three values (-1, m) = 1, (2/m) = -1, and (3/m) = -1. 







Lemma 9.16 
| Let m be any integer. Then 


(m, 6) = | => nr = 1 (mod 24), 
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Proof: Since m is not divisible by 3, it follows that m= 1(mod 3). Similarly, since m is odd, it 
follows that m* = 1 (mod 8). To see this, write m = 2.n+1.Then wm? =(2.n+ 1)? =4n(n +1) +1. 


Since, 3 and 8 are coprime, the statement follows from the Chinese Remainder Theorem. 
7 
Of course, we could have checked the above lemma with the Mathematica function Mod as follows 


i = {i, - 7; 1i, 13, Lie 15, 23} 
Mod [m*, 24] 





We are now ready to prove Theorem 9.13. 


Proof of Theorem 9.13: 


It 1s a direct consequence of condition gcd(m, 6) = 1 and Lemma 9.16 that each exponent j in 
(9.25) can be reduced modulo 2. This shows that (9.25) can be replaced by (9.26) 


Next, note that it suffices to prove (9.25) for prime divisors d of m only. Write m— 1 = f .2* and 
d—1 = g.2', where f and g are odd and where k > 0,/ > 0. 


We shall first prove that />=kand then use Lemma 9.15 to show that either d = n° (mod 24) or 
d =n! (mod 24). 


Raise both sides in condition (9.24) to the power g and reduce the result modulo d. Since d | m and 
g is odd, one obtains 


ghee! = (-—1)§ = —!1 (moda). 


Since we assume that d is prime and since a can not have a factor in common with d or m, it 
follows from Fermat's Theorem (Thm. A. 15) that 


ght? = a@/4-)) = 1/ = 1 (moda). 
We conclude from these two congruence relations that 
k-1 <1. 


Now consider u & {—1, 2, 3}. Since g is odd and d|m, we have 


k-| ee (9.23) ; 
uBR s ysn-Di2 WS (yf m)§ = (u/m) (moda). 


On the other hand (again because d 1s prime), we have 


: 5 9.1 
ped! = phan Co (afd)! = (u/d)(moda). 
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It follows from the two last congruence relations that for i= —1, 2, 3 
(ufd) = (afm). (9.27) 


Note that we have replaced the congruence relation above by an equality sign. We can do this, 
because both hands have value —1 or 1. 


If? = k, relation (9.27) and Lemma 9.15 together imply that d = m = m! (mod 24), 


On the other hand, if 7 >, the right hand side of (9.27) is equal to 1, which is also (u/1). So, 
Lemma 9.15 yields that d = 1 = n° (mod 24). 


(3 
Crucial in the application of Theorem 9.13 is the fact that we can replace (9.25) by (9.26). Because 


of this, only one condition needed to be tested in the fourth step of Algorithm 9.14. The reason that 
(9.25) could be replaced by (9.26) (see Lemma 9.16) is the fact that 


gcd(n, 24) = > n* = 1 (mod 24), 


Theorem 9.13 can only prove the primality of integers m, 24 < m < 24?. For larger values of m one 
needs generalizations of Theorem 9.13. As may be expected, the exponent in Lemma 9.16 will 
have to be increased in these generalizations. An example of such a generalization would be 


gcd(m, 65520) = 1 = > ~~ m!* = 1 (mod65520). 
In order to test 100-digit numbers for primality, one uses 

gcd(m, s) = 1= > ~=— m4 = 1 (mod 65520). 
where s is the 53-digit number 


26 x 33 x §2x 72x 1K 13« 17K 19x31 37x41 x43 x61 x7! 
x 73x 113x127 181 x 211 x 241 x 281 X337 x 421 x 631 « 1009 x 2521. 


Note that ¥m <-s, ifm has not more than 100 digits. A rough outline of the primality test of a 100- 
digit number is as follows. 


Algorithm 9.17 (Cohen and Lenstra; outline of primality test) 


input me < 10 

initialize prime=True, 

test 1: if gcd(m, s) # | then prime=False 

test 2: if m fails any of 67 congruence relations like (9.23) 
then prime=False 

test 3: compute d = (m' mods), for i= 1, 2, ..., 5039, 


if any of these @ divide m then prime=False 
output prime 
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Ifm is composite, the algorithm above will sometimes yield a factor of m. The probability that this 
will happen however, is very small. In most cases that m is composite, the algorithm will terminate 
in Step 2 and one does not obtain a factor of m. The algorithm above can be adapted to test larger 
integers for primality. The expected running time is 


(in nyo InInn 


where c 1S some constant. 


9.5 The Rabin Variant 


In Subsection 9.2.1, it was mentioned that no other general method of breaking RSA is known 
than by factoring n. In [Rabi79], Rabin proposes a variant of the RSA system, whose cryptanalysis 
can be proved to be equivalent to the factorization of n. 


9.5.1. The Encryption Function 


In the RSA system, each user U had to select a public exponent e, with gcd(ey, ny) = 1 (see 
(9.2)). In Rabin's variant, all users U take the same exponent 


€yu = Zi (9.28) 
We remind the reader of the discussion in Subsection 9.3.1. 


Since ged(2, y(ny)) = 2, because both py — 1 and gy — 1 are even, encryption is no longer a one- 
to-one mapping. Indeed, if c= m? (mod ny), with gcd(c, ny) = 1 and ny = py qu, it follows that 
the congruence relation x* = c(mod py) has two solutions, namely +m(mod py) and, similarly, 
the congruence relation x* = c(mod gy) will have the two solutions +m (mod qy). By the Chinese 
Remainder Theorem (Thm. A. 19), the congruence relation 


x? = c(modny) (9.29) 


has four solutions modulo ny. What happens if gcd(c, ny) # 1 is an easy exercise for the reader 
(see Problem 9.5). 


Example 9.16 (Part 1) 


Consider the encryption of the messagem = 12345678 modulo the modulus n = 9733 X 10177 = 99052741 
(we use the Mathematica functions Prime and PowerMod ). 
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99052741 
43962531 


To find the four messages that are mapped to the same ciphertext, we have to combine the four 
systems of linear congruence relations x = +m(mod p) and x = +m(mod 4q) with the Chinese 
Remainder Theorem. We have to load the package Number Theory 'Number Theory Functions' to 


be able to use thefunction ChineseRemainderTheorem. 


he, a ey ee er eer ee Fe 
Vag af eds tee At i ¥ 
: ee hTinetisana 


aa5™ 





12345678 


48738630 
50314111 
BSE707TO63 


To check this we calculate 
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43962531 


We note that the image space of the encryption function is not the whole set (0, 1, ..., my}. As a 
consequence, this variant by Rabin can not be used in a straightforward way as a signature scheme. 
(See the related Fiat-Shamir protocol in Chapter 14.) 


9.5.2 Decryption 


Oo Precomputation 


How does one decrypt a message c =m(modn) in the Rabin variant of the RSA system? As 
explained earlier in this section, we do this with the Chinese Remainder Theorem. As 
precalculation, one computes integers a and b satisfying 
a = 1(mod pu) and a=O(modgqy), (9.30) 
b = O(mod py) and b=1(modqy). (9.31) 
The solutions a and b can easily be found as follows; for instance, to find a, we obtain a =1.qy 
from the second congruence relation and substitute this in the first congruence relation. One gets 


the congruence relation I.gy = 1 (mod py), which can be solved with the extended version of 
Euclid's Algorithm, (Alg. A.8). See also Example A.3. 


These systems of congruence relations can also be solved directly with the Mathematica function 
ChineseRemainderTheorem for which the package 
Number Theory ‘Number Theory Functions‘ has to be loaded first. 


Example 9.16 (Part 2) 


Continuing with the parameters of Example 9.16, we need to solve 
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a =1(mod 9733) and az=0O(mod 10177), 
b = O(mod 9733) and b=1(mod 10177). 


| <<¢NumberTheory NumberTheoryFunctions | 


a = ChineseRemainderTheorem([{1, 0}, {9733, 10177}] 
b = ChineseRemainderTheorem[({0, 1}, (9733, 10177}) 





45267650 
23765092 


So, @ = 45287650 and b = 53765092. 


Q Finding a Square Root Modulo a Prime Number 


Next, one has to solve the congruence relation x? =c(mod Pu) (and, similarly, x* =c(mod gu)). If 
c = 0 the solution is obvious, so, let us assume that c # O(mod py). 


For notational reasons we omit the subscript U from now on. It turns out that an immediate 
technique to find x is not always possible. We consider three cases. 


Case_1: p = 3 (mod 4) 


If c is the square of some element m in Zp, (such a c is called a quadratic residue modulo p; see 
Section A.4), the two solutions of x? = ¢(mod p) are given by tc’*)4_ Indeed, if we square this 
expression we get from Fermat's theorem: 


Example 9.17 


Consider the prime p = 3571 which is congruent to 3 modulo 4. The number c = 2868 is a quadratic 
residue modulo p as can be checked with the Legendre symbol. To verify all these assertions we use the 


Mathematica functions Prime, Mod, and Jacobi Symbol. 
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3571 } 


True 


True 


The solution of x° = 2868 (mod p) is given by m = 42868°*)D/4 = +3234 (mod 3571). 
To verify this we use the Mathematica function PowerMod. 


: i a ap : er: Tow ort iy te — sr oi Sos : 2 Fo hae gry - ha Tee = it mado: & ee Ble’ ante eres "i | 

be ae kas ee oe Pre es a ms foe Tee ya ewe el Eis Ete 

; _ ie, i= a "" = - eh: PD j 
A a ae 


4 ts a 1, 
cote = kL 





{2868, 2868} 


Case 2: p = 5(mod 8) 


With a slight refinement of the method used above it can be shown that the solution of 
x? = c(mod p) in this case is given by +c'?+98 if c(P-D4 = 1 (mod p) and by +2. c.(4. ce)?” if 
clp- D4 = —1 (mod p). 


See Problem 9.14, which addresses this case. 


Example 9.18 


Consider the prime p = 3581 which is congruent to 5 modulo 8. The number ec = 2177 is a quadratic 
residue modulo p as can be checked with the Legendre symbol, which is a special case of the Jacobi 


symbol. 
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The solution of x° =2177(mod p) is given by m = #2177?) = +3100 (mod 3581) because 
c'P-D4 = 1 (mod p) (otherwise the answer would be #2. c.(4. c)'? >”), 













aR TS SS ae Bane aay 
j ,' pe" ek oA Pee a y 
1 at > ree : ate ee ak bs re esos A . 
ee ee ae = eS | Pee | | eS a ina re 
.] i? es a PED bi iw war rl a tae * — Nets © ated salt irr 





Case 3: p = 1 (mod 8) 


A fast deterministic algorithm to solve this congruence relation does not exist. We follow 
[Rabi79]. 


In Section A.4 we have introduced QR as the set of quadratic residues modulo p and NQR as the 


set of quadratic non-residues modulo p. 


Let r and s denote the two solutions +m of the congruence relation x* = c(mod p). Then r+ u and 
s+u_are the two solutions of (x - u)* — c = 0 (mod p). In other words, 


(x-—u)? ~c =(x-(rtu))(x-(s +) (9.32) 
over the finite field Z, (=GF(p)). 


Since r# s(mod p), it follows that the field element (r+u)/(s+u) will never take on value I. 
Since the mapping u —> (r + u)/(s + 4) is one-to-one for u € Zp, u # —s, we conclude that 


{((r+u)/(stu) | ue Zy\{-s}} = Z,\{I}. (9.33) 
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The reader may want to verify this by means of the Mathematica functions Table, Mod, 





PowerMod, and Union. 


* hah Toe oy. oS Lae So Fee 


her iy ee ae a2 & os kel H SS ee ee 
ried a 4 iy? | F a av — 
i ang By he a ed piper, D. foe oe a oe 
: F ae fer LE aie |S, lis hd oa Pee 
| = ye : Py te . i ‘" 





f18, 3, 8, 9, 4, 16, 15, 7, 10, 9) 
(S40 aes Bee 425 83} 


{0, 2,3, 4,5, 6, 7.8, 9, 10, 11,.12,.13, 14, 15, 16, 17, 13} 


It follows from (9.33) and Theorem A.20 that for half of the admissible values of u the element 
(r+ u)/(s + u) will be in QR LJ {0} and for the other half it will be in NQR. In the first case, either 
u = —ror (by Theorem A.21) both r+ and s + will be an element of QR or they will both be in 
NQR. In the latter case, exactly one of them will be in QR and the other will be in NQR. 


A property of quadratic residues modulo a prime number that we shall need later on is given by 
(A. 16): 


xfP-l2 | = Laer (x~u). 


Example 9.19 


As an example, consider the QR's mod 11. We introduce a new function: 





iMige a Be 5, 9} 


So, the QR's modulo I] are given by: I, 3, 4, 5, and 9. We now compute with the Mathematica 
function PolynomialMod: 
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PolynomialMod[(x-1) (x-3) (x- 4) (x-5) (x-9), 11] : 


10+" 





This is indeed equal to x ~1 modulo 11. 


It follows from the above discussion, in particular from (9.33) and (A. 16), that for a randomly 
chosen u, ue Z,\{-s}, 


gcd((x — u)* -— c, xX? — 1)) (mod p) (9.34) 
will be 
x-u-UJ, ifu+reQRL {0} andu+seNQR, 
x-Uu-S, if u+reéeNOR andu+seQRlJ {0}, 
i if u+reéeNOR andu+sis NOR, 


(x-u)?-c, ifu+reQRU{0} andu+seOQRIJ {0}. 
The counting arguments above imply that with probability —- = > one of the first two 
possibilities will occur. So, with probability 1/2 we have a non-trivial factor of (x —u)* —c. Since 
u 1s known, one also has found the value of 7 or s. 


Note that in the extremely unlikely, remaining case, namely if u = —s, expression (x — u)* —c will 
reduce to x* +25.x. So, the gcd in (9.34) will contain a factor x and the other factor will yield the 


solution s. 
An example of the above method will be given later. 


The expected number of u's that one has to try in this algorithm before finding a solution of 
x* =c(mod p) is the reciprocal of 1/2, ie. 2. For a discussion of other methods of taking square 
roots modulo a prime number, we refer the interested reader to [Pera86]. 


O The Four Solutions 


The final step in the decryption algorithm is of course to use the Chinese Remainder Theorem to 
combine each of the two solutions of x7 =c(mod p) with each of the two solutions of 
x* =c(mod q). 

Example 9.16 (Part 3) 


We continue with the parameters of Example 9.16. So, p=9733, q=10177, 
n = p xq = 99052741, and the solutions of 


= 1 (mod 9733) = and az=0O(mod 10177), 
b = O(mod 9733) and = b=1(mod 10177). 
are given by a = 45287650 and b = 53765092. 
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Let c = 9513124 be a ciphertext. Since p =5 (mod 8) and gq = 1 (mod 8), we follow Case 2 to find 
the square root ofc modulo p and Case 3 tofind the square root ofc modulo q. 


V 9513124 modulo p by Case 2 


We calculate c?-P4 = 1 (mod p) with the Mathematica functions PowerMod and Mod 





¥ 9513124 modulo q by Case 3 


We want to find the zeros of x° —9513124modulo g. We take a random u in @, and compute 
gcd((x —u)*? — 9513124, x(x “D2 _ 1)) and hope to find a linear factor. We use the Mathematica 
functions PowerMod, PolynomialGCD and 








2492+ 10155 x+ x? 


Et 


We try again 
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u=111; x=.; 


PolynomialGcp[ (x -u)?-c, x (x'*))/? 1), Modulus -> q] 





1438 +x 


It follows that one of the square roots is given by x —11l —g =x +1438 (mod q). So, by 


g = Mod[-111 - 1438, q] 





B28 


It follows from the Chinese Remainder Theorem (Thm. A.19) that the four square roots of 
x? = 9513124 (mod 99052741) are given by 


Mod[azi+bseg, n] 
Mod[asf-beg, n] 
Mod[-asxi+b«g, n] 






6969696 
63567091 
35465650 


P2083045 


9.5.3 How to Distinguish Between the Solutions 


Let f be one of the two solutions of x* =c(mod py) and let g be one of the two solutions of 
x =c(mod qy). Further, let a and b be the solutions of the linear congruence relations (9.30) and 
(9.31). 


Then, by the Chinese Remainder Theorem (Thm. A. 19), the four solutions of (9.29) are given by 
+ f.at+e.b(modny). 


One would like the sender and receiver to be able to distinguish between the four solutions in such 
a way that they can agree on one of them. In some cases this can be done quite easily. Indeed, if 
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Py and gy are both congruent to 3 mod 4, one has by Corollary A.24 that ~1 is a NQR both 
modulo py and modulo gy. Hence, exactly one of f and —/f is QR and the same is true for g and 
—g. Replacing f by —f and/or g by—g, if necessary, one has without loss of generality that 

+f.at+t+g.b isQRmodpy, +f.a+g.b isQRmodq, 

+f.a-g.b isQRmodpy, +f.a-g.b isQRmodgy, 

-~f.a+g.b isQRmodpy, -f.a+g.b isQRmodgy, 

-f.a-g.b isQRmodpy, -f.a-g.b isQRmodq. 


By Definition A.11 and the second statement in Theorem A.26 we _ have _ that 
(f.atg.b/ny) =(-f.a-g.b/ny)=1, while (f.a-g.b/ny) =(-f.at+g.b/ny)=-1. Of the 
two solutions with Jacobi value +1, one will lie in between | and (my — 1)/2, the other will lie 
between (ny + 1)/2 and ny — | (or both are equal to 0). 


We conclude that there is a unique solution m satisfying 0s m s (ny — 1)/2 and (m/ny) = I. So, 
sender and receiver can agree to use only messages of this form. 


Example 9.20 (Part 1) 


Let ng = 77 and let c = 53 be a received message. Repeating the decryption process explained in the 
previous subsection, we get f = 2, g = 8, a = 22, and b = 56. 


With the Mathematica functions Mod_ and JacobiSymbol, we get the following four possible messages 
with their respective Jacobi symbol value. 


ne = 77; 

Ezadj g= 8y 

a= 22; b= 56; 

mil =Mod[asf+bsg, nB); 

m2 = Mod[awf-bsg, mB]; 

m3 = Mod/-a+tf+beg, nB]? 

mdi = Mod/-azf-bxeg, nB]; 

Print([mi, " ", Jacobisymbol[mi, nB]] 
Print[m2, " ", JacobiSymbol[m2, nB]] 
Print([m3, "  ", JacebiSymbol[m3, nB] ] 
| Print[md, " ", JacobiSymbol[md, nB] } 





30-1 
58 1 
19 1 
Ag 


We conclude that m = 19 is the unique solution with (m/77) = I and 0 sm # 33, som =19 was 
the message transmitted by the sender. 
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If py (or gy) 1s congruent to | modulo 4, one can still agree to use only messages with 
O<ms<(ny -1)/2. To get (m/ny)=1 the sender and receiver could restrict themselves to 
shorter messages, say 20 digits shorter, and fill up the remaining 20 digits in such a way that the 
resulting message has Jacobi symbol 1 modulo ny. 


9.5.4 The Equivalence of Breaking Rabin's Scheme and Factoring n 


We shall now show that breaking Rabin's variant of RSA is equivalent to factoring ny. Of course, 
when the factorization of my 1s known to the cryptanalist, Rabin's system is in fact broken, because 
the cryptanalist can use the same methods to decrypt as the receiver can (see Subsection 9.5.2). 


Theorem 9.18 

Let n= pq, where p and g are prime. Let A denote an algorithm that for every c, 
which is the square of an integer, finds a solution of 2* = ¢(moda) with F(n) operations. 
Then a probabilistic algornthm exists that factors a with an expected number of 
operations that is 2(/ (nm) + 2 log, A). 


Proof: Select a random m, 0<m<n, compute c=m*(modn) and solve x* = m(modn) with 
algorithm Al in F(n) steps. Let k be the solution found by A. The following four possibilities each 
have probability 1/4: 


1} k2=+m(modp) and kz=+m({modq), 
ii} k=+m(modp) and k=-m(modq), 
iii} kz=-m(modp) and k=+m(modq), 
iv) k=-m(modp) and k=-m(modq). 


Indeed, there are four different messages that are mapped to c and they are all four equally likely. 


In case ii), ged(k — m, nm) = pand incaseili) gcd(k —m, n) = q. So, the calculation of gced(k — m, n) 
will yield the factorization of n with probability 1/2. This computation involves less than 2 log, n 
calculations by Theorem A.9, therefore, each choice of m involves at most F(n)+2log,n 
operations. 


Since the probability of success is 1/2, one expects to need two tries. 


Example 9.20 (Part 2) 


Suppose that n=77 and that the value of m_ that we have picked is 30. Then 
c¢ =30° = 53(mod 77). Now assume that Algorithm & finds k = 19 as solution to x? = 53 (mod 77) 
(see Example 9.20for these parameters). 


Then one of the factors of n will be found from gcd(k —m, n). This would also have happened if & 
had found k = 58, but not with 30 or 47. 


All these calculations can easily be checked with the Mathematica function GCD. 
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n= 77; m= 30; 
GCD[19 - 30, n] 
| GCD(S58 - 30, n] | 
| @cD[30-30, n) 
| @CD[47 - 30, n] ; 
| Ares pba a a en ieee FR ie et 


il 


77 


9.6 Problems 


Problem 9.1 
Consider the RSA system with n = 383 x 563 (son = 215629) and public key e = 49. So, a plaintext m will 
be encrypted into c = E(m), where 


E(m) = m*? (mod n). 


Prove that every ciphertext c satisfies E!°(c) =c(modn). (Hint: use Fermat's Theorem and the Chinese 
10 


Remainder Theorem.) The notation E!(c) stands for E(E(... E(c))). 
Give an easy way for a cryptanalist to recover plaintext m from ciphertext c. 


Problem 9.2 
Verify that the RSA secrecy system (or signature scheme) works correctly when a message m has a non- 
trivial factor in common with the modulus n = pxq,1.e. show that 

(m°)* = m(modn) 
when gcd(m, n) = p org (as always e and d denote the public resp.secret exponents). 
(Hint: use Fermat's Theorem and the Chinese Remainder Theorem.) 


Problem 9.3 

Consider the RSA cryptosystem with modulus n = pxqand public exponent e. 

a) Prove that the number of solutions of the equation m“ = 1 (mod p), when u divides p-—1, is exactly u 
(hint: use the multiplicative structure of GF(p), Theorem B.20) 

b) Show that each solution of m*-! = 1 (mod p) is a solution of m&4e-'P-) = | (mod p) and vice versa 
(use Fermat's Theorem). 
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c) Prove that the number of solutions of the equation m* = m(mod p) is given by 1 + gcd(e-1, p— 1). 
d) Prove that the number of plaintexts m satisfying 


m® = m(modn) 


(in which case encryption does not conceal a message), 1s given by 


{1+ gcd(e- 1, p— 1)}.{1 + ged(e - 1, g-1)}. 
(Hint: use the Chinese Remainder Theorem.) 


Problem 9.4 

Demonstrate the principle of the Solovay and Strassen primality test on the number m = 33. The number m 
has been made small in this problem to keep the calculations simple. So, do not make use of numbers that 
"incidentally" have a factor in common with m. 


Problem 9.5 ” 
Give a Mathematica implementation of Algorithm 9.14 and test it out for two values of m, 24 < m < 24?, 


Problem 9.6” 
Give a complete factorization of m = 110545695839248001 by means of Pollard's @ Algorithm. 


Problem 9.7™ 
Complete Example 9.7. (Hint: extend the search to (—105, 105).) 


Problem 9.8“ 
Apply the Wiener attack to n = 6089471299 and e = 3097347557. 


Problem 9.9“ 
Find a strong liar for the composite number m = 85. 


Problem 9.10 

Suppose that Alice has sent the same secret message to B, C, D, E, and F by means of the RSA system. Let 
the public moduli of these people be given by ng = 324059, nc = 324371, np = 326959, ng = 324851, and 
ng = 324899. Assume that they all have the same public exponent e = 5. 

Let the intercepted messages be given by cg = 68207, cc = 96570, cp = 251415, ce = 273331, resp. 
cr = 154351. 

Determine Alice's message (see Example 9.8). 


Problem 9.11 

Suppose that Alice has sent secret messages m, = m and m) = m? + 10m + 20 to Bob by means of the RSA 
system. Let Bob's modulus be ng = 483047 and eg = 3. Suppose that you have intercepted the transmitted 
ciphertexts c) = 346208 resp. cz = 230313 and that you know the above relation between m,; and mp. 
Determine mm (see Example 9.10). 


Problem 9.12 

Consider the Rabin variant of the RSA system. So, only the number n is public. 

Suppose that a message m, | < m <n, has been sent that has a non-trivial factor in common with n. 
How many possible plaintexts will the receiver find at the end of the decryption process? 


RSA Based Systems 211 


Problem 9.13 

The Rabin variant of the RSA system is used as cryptosystem with n = 17419 17431. Demonstrate the 
decryption algorithm of this system for the ciphertext c = 234279292. 

Which solution will come up if the method described in Subsection 9.5.3 is being followed? Why can this 
method be applied? 


Problem 9.14 

Let p = 5(mod 8) and let c be a quadratic residue modulo p. 

a) Show that c'P-)/4 = +1 (mod p). 

b) Show that the solution of x* = c(mod p) is given by c?*9)8 if clP-)/4 = 1 (mod p). 

c) Show that the solution of x? = c(mod p) is given by +2c(4c)?"8 if cl?-4 = —1 (mod p). (Hint: use 
Theorem A.25 which implies that 2 is not a quadratic residue modulo p) 


This page intentionally left blank. 


10 Elliptic Curves Based Systems 


It will turn out in this chapter that discrete-logarithm-based cryptosystems can also be defined over 
elliptic curves. For RSA-based systems the same can be done, but there seems to be little reason to 
do so. For discrete-logarithm-like systems over elliptic curves, it may very well be that smaller 
parameters are possible with the same level of security as the regular systems over finite fields. 


However, many questions regarding EC-systems are still open at this moment, making it unclear 
what the future of these systems will be. 


10.1 Some Basic Facts of Elliptic Curves 


Let GF(q) be a finite field with g elements, where g = p”. The number p is prime and 1s called the 
characteristic of GF(q). If m= 1, we have GF(q) = Z,, the set of integers modulo p. 


The so-called (affine) Weierstrass equation is given by 
ytuxytvy=etaxrr+bxte. (10.1) 


It is defined over any field (like R or C), but for cryptographic purposes we shall always assume 
that the coefficients are in GF(q). 


If p#2, one can simplify the Weierstrass equation by means of the transformation 
y— y—(u.x+v)/2. One obtains (with new values for a, b, and c) 


ypexrtaxr+bxte. (10.2) 
If also p # 3, one can apply x — x - a/3 to further reduce this form to: 
yp=artbxte. (10.3) 
If p = 2, two standard simplifications of (10.1) are possible. They are given by 
Pruysttarte. (10.4) 
ytvy=etbaxte. (10.5) 
Definition 10.1 


An elliptic curve & over GF(q) is defined as the set of points (x, y) satisfying (10.1) 
together with a single element ©, called the pains ar infinity. 


To verify if a point (u, v) lies on a particular elliptic curve, say y? = x° +2x+3 over Zs, is quite 
easy. 


214 FUNDAMENTALS OF CRYPTOLOGY 





Pp = 5; 
ga=O0; b= 23; c=3; 
EC([x_,» ¥_] sy'-x’-a+«ex’-bex-c} 
{u, ¥}={i, 4}7 
| Mod [EC[u, v], BP] == 


True 


To see if & contains a point with a given x-coordinate we can use the Mathematica function 
Solve. Since the Weierstrass equation is quadratic in y, there will be at most two values of y (see 
Theorem B. 14). 


peiiy; | 


Solve[ {y* == x*°-5x%+3, x==+3, Modulus == p}, {y¥}] = 














{{Modulus 311, x33, y¥72}, {Modulus +11, x-3, y753}} 


So, x = 3 leads to the values y = +2, 1.e. to the points (3, 2) and (3, 9). The reader should try some 
other values of x. 


The reader is referred to Subsection 9.5.2 to find a discussion on how the square root of a 
quadratic residue modulo a prime number can be determined by mathematical means. 


It follows from the above that a point P = (x, y) on an elliptic curve is completely characterized by 
its x-coordinate and the "sign" of y. This reduces the storage requirement of P by almost a factor 
2. Ifg = p, p > 2, the "sign" of y can be defined as being plus one when 0 < ys (p-—1)/2 and as 
minus one otherwise. 


If g = p’”, p> 2, one can use likewise the "sign" of the left-most nonzero coordinate in the p-ary 
representation of y. 


For small values of p, one can find all points on & by trying out all possible value of x and check 
in each case if (10.1) has a solution. Below, we use the Mathematica functions Flatten, Table, 


and Solve. 


i ee er SS = a, 


Clear[x, y]i 

p=11; 

Flatten| 

Table[ Solve[ {y* == x’-5x +3, x==u, Modulus == p}], 
| {u, 0, p-1}],- 1] 


|| Sm mm a ee ee ee 
te = s 
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{{Modulus 411, y725, x30}, (Modulus-11, y76, x70}, 
(Modulus +11, y21, x72}, {Modulus311, y+10, +2}, 
(Modulus +11, yo2, x73}, {Modulus3o11, y79, x43}, 
{Modulus +11, y+#5, x+4}, {Modulus 711, y76, x44}, 
{Modulus #11, y22, x25}, {Modulus311, yo 9, x45}, 
[Modulus #11, ys2#5, x77}, [Modulus 711, y¥:+6, x4T}, 
{Modulus3o11, yo4, x49}, {Modulus+11, y77, x7 9}} 


We see that for p= 11, there are 14 solutions. There is a (imprecise) probabilistic argument to 
predict the number of points on &: for each value of x, equation (10.1) will have two solutions with 
probability 1/2 and no solutions with probability 1/2, leading to about gq solutions. 


As supporting evidence of this statement, consider the right hand side in (10.2) and assume that 
p> 2. If, for a given value of x, the right hand side is a square in GF(p) (there are (p—1)/2 
squares, namely all even powers of a primitive element in GF(p); or see Theorem A.20), there will 
be two solutions for y. If the right hand side is 0, there is only one solution, namely y = 0.There 


are no other solutions. 


A famous theorem by Hasse [Silv86] states: 


Theorem 10.1 Hasse 
Let WV be the number of points on a elliptic curve over GFig). Then 


|N -(g+ 1)| sivg 


Note that in the example above, we have indeed that | 14-12 | <2v11. 


In general, it is very hard to find the precise number of points on an elliptic curve. There is 
however an algorithm by Schoof [Scho95] which computes this number (see also [Mene93] for a 
further discussion). 


Although it is not necessary for the understanding of the rest of this chapter, we like to remind the 
reader of the possibilities in Mathematica to make calculations over fields GF(p”) with m > 1. 


Example 10.1 


As an example of a curve over GF(2*) = GF(2)[@]/(U +a? +.a*)(see Table B.2), we can consider the 
equation y? =x* +ax +1. To test if (a7, a'*) is on the curve we first load the Mathematica package 
Algebra ‘FiniteFields'. 


<< Algebra FiniteFields 
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a = a a a a 


£16 =GF[2, {1, 0, 0, 1, 1}]; | 
al =f16[{0, 1, 0, 0});3 
EC(x_, y_] =y’-x* -als«x-1; | 
{u, ¥)} = {al?, al*}; | 
Ec(u, ¥] : 





Indeed, (a! 4)? =(a" y + a(a*) +1,as can be checked with 


a Se Se Es 





10.2 The Geometry of Elliptic Curves 


The reason that we are interested in elliptic curves is the addition operation that can be defined on 
them. This operation will have O € & (the point at infinity) as its unit-element and will have the 
structure of an additive group. 


To be able to define a suitable addition on &, we shall make use of the property that any line 
intersecting & in at least two points, will intersect it in a third. Here, a tangent point should be 
counted twice. The point O at infinity is the intersection point of all vertical lines. 


We shall first show a picture of an elliptic curve over the reals. We use the Mathematica function 
TmplicitPlot for which the package Graphics ‘ImplicitPlot* has to be loaded first. 
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s=x’-5x+ 3, {m, -3, 3}] | 








=4 


The reader is invited to change the coefficient of x in the function plotted above from -—5 to —4 
and —3 and observe how the graph changes. 


To see how the line y = x +1 intersects y* = x* —-5x+3 we use the additional functions Epilog 
and Line. 
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{{y+-1., x+2.}, {y+0.381966, x+ 0.618034}, 
{y¥72.61803, x4 -1.61803))} 


When the curve is defined over Z, we can find the intersection points of a line with the curve by 
means of the Solve function as follows. 





{{Modulus +11, y+1, x2}, 
{Modulus +11, y+2, x23}, {Modulus +11, y+6, x+7}} 


A different way to find the intersection points of a line y=u.x+v with an elliptic curve is to 
substitute y=u.x+vin (10.1), obtain a third degree equation in x and find its factorization. 
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Example 10.2 


Suppose that we are working over &;;.To find the intersection points of y=4x+Iwith y? =x —5x 41, 
we factor (4x + 1)° —( -—5x +1) with the Mathematica function Factor. 


p= ii; 

Clear[x]; 

ec=x’-5x+4+3; 

fl=adu+iz 

Factor[il* -ec, Modulus -> p] 


—— a 





10 (24x) (7«+x) (8 +x) 


We get as x-values of the intersection points: -—2, -—7, and -& From y=4x+#/ we find the 
solutions (9, 4), (4, 6), and (3, 2). 


ee om = 
} 


x = Mod[{-2, -7, -8}, p] 
y= Mod[d*«x+1, p] 


mm em = ee 


(9, 4, 3] 


(a, 6, 2} 


0D A Line Through Two Distinct Points 


Let P, =(x, y;) and Pz = (x2, y2) be two distinct points on an elliptic curve & (both not at 
infinity). Let £ be the line through P; and P;. How do we find the third point on the intersection 
of £ with &? If x; = x2 and y; = — y2the point O will be defined as this third point. 


So, let us consider the case that x; # —x.The line £ though P; and P32 is given by: 


y-y, =Ax-x), withA=2=!, (10.6) 


XQ —-X} 
We discuss two cases. 
p#2 
Assume that the elliptic curve is already in reduced form (see (10.2)). Substitution of (10.6) into 
this relation yields (A(x — x,) + yy)? =e 4+a.x+b.x+c. Since we know two roots of this third 


degree equation, there must be a third one (to be called x3). So, the same equation can also be 
written as (x — x,) (x — x2) (x — x3) = 0. Comparing the coefficient of xin both notations, we get 


x3 =A? -a-x, -%, (10.7) 
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and, by (10.6), 
y3 = AQ — x1) + Y. (10.8) 


Example 10.3 


Consider the elliptic curve y? =x° +11x° +17x +25 over £3;. The points P; =(x;, y;) = (2, 7) and 
P2 =(x2, y2) = (23, 9) lie on Eas can be verified with the Mod function as follows: 





The slope A of the line £ through P; and P32 is given by (10.6): A = acmey =2x3=6. Here we use 


the PowerMod function to get the multiplicative inverse of 21 modulo 31. 





That the point P3 = (0, 26) indeed lies on € can be verified with the calculation 
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p=2 
We now assume reduced form (10.4). As above, we substitute (10.6) into (10.4) and look at the 
coefficient of x*. We get 
x3 =a-At-A~x,- x, (10.9) 
y3 = AQ - x1) + 1. (10.10) 


Note that all minus signs can be replaced by plus signs, when p = 2. 


oO A Tangent Line 


There is one more possibility that we want to discuss, namely that P; = (x), y,;) = Po. Let £be the 
tangent line to &though P. This means that £ meets Gin P = (x, y;), and that the slope of Lis 
the same as the derivative of & in P. One usually views P as point of intersection with multiplicity 
two. 


Over R this situation looks like: 


ee | 
ImplicitPlot[y* ==x*-5x-3, {x, -3, 4}, 

| PlotRange -> {-4, 4}, 

| Epilog -> Line[ {{-3, 3}, {4, -4}}]] 


J | 


Lied 





At this moment we exclude the possibility that £1s a double tangent line to &(meaning that its 
multiplicity is 3). Ifit were, the tangent line already intersects Gin a point with multiplicity 3. 
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In the sequel, when we speak of taking a derivative of a polynomial over a finite field we mean to 
take the formal derivative and then reduce the coefficients modulo the characteristic of the field. 


For instance, in GF(3") the derivative of x4+2x%° +27 + Lis given by 4x°+6x° +2 x, which 
reduces to x° + 2 x. 


p#2 


The slope of the tangent line through a point P = (x,, y,) on the curve yy =x*> +a.x° + b.x +c (see 
(10.2)) is given by the value of y' determined through implicit differentiation, so 
2 yy.y'= 3x4 +2.4.x, +b. We conclude that the tangent line through P is given by 


3 x¢+2a.xy+b 
2 ¥) 


To find the third point of the line £ through & we can still use (10.7) and (10.8). 


y-y, =AQ-x), with A= (10.11) 


p=2 
The slope of the tangent line through a point P = (x, y)) on the curve y°+x.y= xe+axr +c (see 


(10.4)) is given by the value of y' determined from 2 yy.y'+ y) +x.y'= cea +2a.x1, Le. by 
y, +x,.y' = x4. Hence, the tangent line through P is given by 


xt+y , 
y-yp=AQe— x), with AST Sy + (10.12) 


x 
To find the third point on £through Ewe observe that (10.9) (take x2 = x,)reduces to 


x3 = a-M-Aza+H4+(4V sx, += 
x] +] 


ye+x) yp (10.4) taxtte 
atxptxy t+ Tao = atxytu +o, 
| 1 


saxty, (10.13) 
and that (10.10) reduces to 


ys =a + (1 + 1). (10.14) 


Example 10.4 


Consider the elliptic curve ¥ +x.y =x +a? x° +a@over GF(16), where a4 =a +41.The point (a, a?) 
lies on this curve, as can be easily checked, once we have loaded the Mathematica package 
Algebra 'FiniteFields '. 


<¢ Algebra FiniteFields® 
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f0, 0, 1, 1), 


{0, 0,12, 0}, — 


So, (x3, y3) =(a, a7). This can all be checked easily. 





eo 1 0), 


0 
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10.3. Addition of Points on Elliptic Curves 


In the previous section, we have shown how the line through two points on an elliptic curve & 
intersects that curve in a third point and how that point can be computed efficiently. The same 
holds for a line that is tangent to &, with the understanding that the tangent point 1s counted twice. 


We are now ready to define an addition on & The geometric idea behind the formulas below 1s the 
following. First of all, if P = (x, y) is a point on an elliptic curve & determined by (10.1), then 


-~P=(x%, -y-ux-y). 
Ifu = v = 0, like in (10.2), this reduces to 
-P=(x,-y). 


Geometrically, this can be described as follows: compute the line £ through O and P. It intersects 
& in a third point, namely ~P. As noted before, the point O at infinity should be interpreted as the 
intersection point of all vertical lines. 


To add points P; and P2, both not at infinity, execute the following two steps: 


1) Compute the line £ through P; and P2 (or tangent line though P), if P; = Pz) and find the third 
point of intersection with &. Let this be Q. 


2) The sum P, + P2 is defined as P3 := ~@. 


The point O serves as unit element of this addition and is its own inverse. 
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Definition 10.2 addition 
Let P be a point on an elliptic curve & (so, it defined by (10.1)), with © as point at 
infinity. Then we define the sums 


P+0=0+P=P. 


Further, let PP) = (x), ¥)) and P; = (x5, ¥2) be two points on &, both not 0. Then the sum 
P) + Py is defined by ; 


iP; =-Q if x; + Ky. 
Here, @ is the third point of intersection of & with of the line £ 
through (x), ¥)) and (x;, 7). 


ii) Py = -Q if P; = Ps and the tangent line through P is a single tangent. 
Here, @ is the third point of intersection of & with the tangent £ 
through P. 
i) Py = =P; if P,; = P2 and the tangent line through P is a double tangent. 
| iv) Py = 0 if P; = —P. 


Note that possibility 111) can be interpreted as a special case of 11). 


We shall depict the two most typical cases, namely 1) and 11), by means of elliptic curves over the 
reals. We need again package Graphics ‘Implicitplot’. 





<< Graphics’ ImplicitPlot™ — 
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The points on an elliptic curve together with the addition defined above form an additive group. 
We shall not prove that here. The reader is referred to [Mene93] or [SilT92]. Note that the only 
non-trivial aes to sai is the associativity of the addition. 


onbseh ee Salli esl ids ean deed in Deion 102 
form an additive group, ‘The zero element is given by 0. ris Lanuenree ler eee Bate 
pies ably ee Ya te es fae te ewe sabe Ss 1 a 


With the following Module one can compute the sum of two points (the point O at infinity will be 
denoted by {O}) on an elliptic curve over GF(g) with characteristic p> 2. We make use of 


228 FUNDAMENTALS OF CRYPTOLOGY 


formulas (10.6), (10.7), (10.8) and (10.11). and use the Mathematica function Which with the 
same order of cases as in Definition 10.2. 





{3, 9) 


(7, 6) 
(4, 5) 


{4, 6} ~ 
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i] 
if, 4) 


Observe that the tangent through (4, 6) is a double tangent, so by Definition 10.2, 111) 
(4, 6) + (4, 6) = -(4, 6) = (4, 5). 


As is common in additive groups, 2 P will stand for P+ P,similarly 3 P stands for P + P + P etc. 
Similarly, 0 P stands for O and —n.P stands for —(n.P). These multiples of P are often called the 
scalar multiples of P. 


The order of P 1s the smallest positive integer n with n.P = O. Since & 1s a finite group, this notion 
is well defined. The set {O, P, 2 P, ..., (2-1) P} is acyclic subgroup of &. It follows that n divides 
|&| (see Theorem B.5). 


Now that we have the Module EllipticAdd, defined above, it 1s quite easy to compute n.P, n 2 1. 
recursively as follows: 








Pedlija=:O0; b=6; c=3; P= {9, 4}3 
fll] =P; 

| £([n_]) := £[n] = Ellipticadd[p, a, b, ¢, FP, F[mn-1]];3 
Table[f[n], {n, 1, 5}] // ColumnForm 


(3, 4) 
{7, 6) 
ify 3] 
(9, 7} 
{9} 


So, on the curve y? = x3 +6x+3 over Z}1, the point P = (9, 4) has order 5. 


In the next section, it will be important to have points available on an elliptic curve &that have a 
very large order. If the cardinality of & is known and of a special form, for instance |&| is a small 
multiple of a large prime factor, then it is quite easy to find points on &with a known large order. 


As an example, consider |&| = 3 x 7919 = 23757.Suppose that 3 P # O. Then P has order 7919 
or 23757. If 7919 P = 0 then P has order 7919, otherwise 3 P will have this order. To check these 
assertions, apply Lemma B.4 and Theorem B.5 (rewrite the multiplicative notation in the additive 
notation that we use here). 


230 FUNDAMENTALS OF CRYPTOLOGY 


10.4 Cryptosystems Defined over Elliptic Curves 


Most notions in this section can be viewed as direct translations of notions introduced in Chapter 
8, but now using addition over an elliptic curve as principal operation instead of modular 
multiplication. Modular exponentiation will translate into scalar multiplication. 


For the above reason, it will often suffice to just present the new formulations without copying all 
the proofs. 


In [Demy94] one can find a RSA-like cryptosystem defined over elliptic curves. However, to break 
the system it is sufficient to factor its modulus. Since the original RSA system had the same 
security restriction and is faster in its calculations, there seems to be little reason to use this 
generalization of RSA to elliptic curves. 


10.4.1 The Discrete Logarithm Problem over Elliptic Curves 


We have seen in Section 10.3 how to add points on an elliptic curve &. This is an operation with 
relatively low complexity. To compute scalar multiples of a point P, say n,P for some integer n, we 
can use repeated addition, but it is much more efficient to copy the ideas of Subsection 8.1.1. 


Example 10.5 


Take n=171. Its binary expansion is I0I0I0II, as follows from the Mathematica function 
IntegerDigits. 


IntegerDigits([(171, 2] 


So, to compute 171 P, it suffices to compute 


2P=P +P, 
4P=2P +2P, 


8P=4P+4P 


128 P =64P +64P 


and add the suitable terms. This can be done on the fly as follows: 
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Clear [FP]; 
2 (2 (2 (2 (2 (2 (2 PF) +P))+P)) +P) +P 





171 P 


Note that we only added partial results to themselves or to P. (The reader may want to look at 


Example 8.3 for the analogous modular arithmetic problem. ) 
Of course, addition chains may further reduce the complexity of these calculations. 


The opposite problem of computing scalar multiples of a point is the following: 


Definition 10.3 

Let & be an elliptic curve. Let P be a point on & and let be a scalar multiple of P. 

The discrete logarithm problem over an elliptic curve is the problem of determining n 
for given P and @ from the relation 7 


nP = Q, 


Although we shall see more efficient ways to solve (10.15) than by simply trying n = 1, 2, ..., all 
the methods have a complexity of the form n’, a > 0, and so they are exponentially slower than the 
(logarithmic) complexity of computing n.P out of P. 


10.4.2 The Discrete Logarithm System over Elliptic Curves 


Now that we have formulated the discrete logarithm problem over elliptic curves, we can describe 
the analogue of the Diffie-Hellman key exchange protocol (see Subsection 8.1.2). 


As system parameters one needs an elliptic curve Gover a finite field GF(g)and a point P on the 
curve of high order, say the order n of P is 150-180 digits long. 


Each user U of the system, selects a secret scalar my,computes the point Qy = myP and makes 
Qy public. Alice and Bob can now agree on the common key K4.g = m4 mg P. Alice can find this 
common key by computing m, Qp with her secret scalar m, and Bob's public @Qg.Bob can do 
likewise. 


This system is summarized in the following table. 
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system elliptic curve & over GF (q) 
parameters point Pon &of high order 
secret key of U my 
public key of U Qy = My P 
common key of Aand B Kap = Ma Mg P 
Ann computes Ma Qs 
Bob computes Mp Qa 


The Diffie-Hellman Key Exchange System over Elliptic Curves 
Table 10.1 


Example 10.6 


Consider the elliptic curve & over &xo3 defined by y° =x? +100x? +10x +41. The point P = (121, 517} 
lies on it as can be checked with the Mathematica function Mod. 





The order of P is 432. To show this, we check that 432 P =O and that (432/p)P # Ofor the 
prime divisors of 432. We make use the binary expansion of these coefficients (to be found with the 
function IntegerDigits). We also use of the EllipticAdd function defined in Section 10.3 and 
the Do function. 





{{2, 4}, (3, 3}] 


{1, 1, 0,1, 1, 0, 0, 0, 0} 


{1, 1, 0, 1, 1, 0. 0, 0} 
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{1, 0, 0,1, 0, 0, 0, 0} 





{0} 
{19, 0} 
(341, 175} 


Let Alice choose ma = 130 and Bob mg = 288. Then Qa = (162, 663) and Qp = (341, 688), as can 


be checked as follows (note that we have chosen very friendly secret scalars). 





(162, 663] 
(341, 688} 


Alice can compute the common key Ka g with the calculation Ka, =m, Qp, where ms = 130 is 
her secret key. She finds 





{341, 688) 
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Likewise, Bob can compute the common key Kap with the calculation K,4 3 =mg Qa, where 
mp = 288 is his secret key. He also finds 

QB/0] = {162, 663); 

oB[i_] := | 

QB(i] = EllipticAdd[p, a, b, c, OB[i-1], OB[i-1]]; | 

EllipticAdd(p, a, b, c, Q5[8], QB[5]] 


(341, 688] 


Now that the Diffie-Hellman key exchange system over elliptic curves has been described, it really 
is a straightforward exercise to show that the ElGamal protocol and the other systems, described in 
Section 8.2, can be rewritten in the language of elliptic curves. 


10.4.3 The Security of Discrete Logarithm Based EC Systems 


In Section 8.3, various methods are described to take the discrete logarithm over a finite field. The 
Pohlig-Hellman algorithm, the baby-step giant-step method, and the Pollard-pmethod can all be 
directly translated into elliptic curve terminology: just replace modular exponentiations by scalar 
multiplication on the elliptic curve. 


At the time of this writing, the index-calculus method has defeated any attempt to transfer it 
efficiently to the elliptic curve setting (see [Muill86]). That is of great cryptographic significance, 
because the index-calculus method was the only one with a subexponential complexity. This 
means that in regular discrete-logarithm-like systems the index-calculus method is the governing 
factor in determining the size of its parameters (to keep the system computationally secure). Since 
the index-calculus method is no longer around in the elliptic curve setting, one can afford much 
smaller parameters to achieve the same level of security. 


At the time of this writing, the XEDNI method has been proposed [Silv98] as an alternative to 
solve the elliptic curve discrete logarithm problem. Further analysis is needed to determine the 
implications of this method. 


There are special attacks on discrete logarithm based elliptic curve cryptosystems. These attacks 
make it necessary to avoid special classes of elliptic curves. In particular, one should not use 


singular curves, 
supersingular curves, 
anomalous curves. 


We shall not describe these attacks (see [MeOkV93], [SatA98], and [Smar98]. In each case the 
logarithm problem over an elliptic curve can be translated to the logarithm problem over a finite 
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field (or an even simpler problem). We shall explain in one case that one can counter these attacks 
by simply avoiding these special curves. 


Before we do so, we need to introduce a new notion. We homogenize the Weierstrass equation 
(10.1). This means that we multiply each term in it with the smallest power of z in such a way that 
all terms have the same degree: 


Fix y,2)= yy ztuny.ztvy.2 — x -arz2-bxz-0.23 =0. (10.16) 


Note that if (x, y, z) satisfies (10.16), then so does A(x, y, z). For that reason, one often normalizes 
solutions to (10.16) by requiring the right-most non zero coordinate to be equal to 1. 


Points (x, y) that satisfy (10.1) now lead to solutions (x, y, 1) of (10.16). The (somewhat 
mysterious) point O at infinity can be represented by (0, 1, 0). 


A point on acurve & is a called singular if all partial derivatives OF /0x, OF /Oy, and OF /0@z are 
zero. An elliptic curve can not contain two singular points. If a curve & contains a singular point 
then it is called a singular curve, otherwise it 1s called a non-singular curve. 


With some effort one can show that (10.2) defines a non-singular curve if and only if the cubic 
expression on its right side has no multiple roots. For (10.3) with c #0,this is equivalent to the 
condition 4 b? + 27 c* # 0(mod p). 


When p = 2, (10.4) gives non-singular curves when c # O and (10.5) when v # 0. 
The above means, that it 1s quite simple to test if a curve is non-singular or not. 


We shall not give a definition of what supersingular means. Here it suffices to know that curves 
defined by (10.5) are supersingular and need to be avoided. Again, it is easy to avoid these curves. 


Finally, anomalous curves are elliptic curves & over Z, with the property that || = p. 
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10.5 Problems 


Problem 10.1” 
How many points lie on the elliptic curve defined in Example 10.1? 


Problem 10.2 
Find the intersection points over 23; of the lines y=4x+20 and y=4x+21 with the elliptic curve 
yi =x 425x410. 


Problem 10.3 
Find the line that is tangent to the elliptic curve y? = x7 + 11x? 417x425 over Zin the point (2, 7). 
Where else does this line intersect the curve? 


Problem 10.4” 

Consider the elliptic curve E defined by y* = x3 + 11x? + 17x +25 over Z3). 

Check that the points P = {12, 10) and Q = {25, 14} lie on &. What is -P? Compute the sum of P and Q 
without using the Mathematica procedure presented in Subsection 10.3. 


Problem 10.5 
Consider an elliptic curve & Let P on & have order n. What is the order of —P? 


Problem 10.6” 

Consider (again) the elliptic curve & defined by y* = x* + 11.7 + 17x +25 over Z3;. 

Determine the orders of P = {27, 10} and Q = {24, 28}. What can you conclude about the cardinality of & 
(hint: use Theorem B.5)? 

What is the cardinality of & (hint: use Theorem 10.1)? 

Construct a point of maximal order from P and Q. 


Problem 10.7“ 
Duplicate Example 10.6 for the elliptic curve 6& over 2523 defined by the equation 
y=xt tx? 4+ 11x41. Use for P a point of order at least one hundred. 
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11.1. ‘Introduction to Goppa codes 


In this chapter it is assumed that the reader is familiar with algebraic coding theory. A reader 
without this background can freely skip this chapter and continue with Chapter 12. From 
[MacWS77] we recall the following facts about Goppa codes. 


Theorem 11.1 
Let G(x) be any irreducible polynomial of degree t over GF (2"). Then the set 


P(G(x), GF(2")) = [ (cw )wcoram € 10, 1)" | Sear > = 0 (mod G(x) } AL 


defines a binary Goppa code of length n= 2", dimension k= n=tim and minimum 
distance d = 2r+ 1. 
A fast decoding algorithm with running time nw, exists (see [Patt /S]). 


Note that we have used the elements in GF(2”) as an index set for the coordinates of the vectors in 
{O, 1}". The notions used above mean that the elements in (G(x), GF(2")) (which are called 
codewords) form a linear subspace in (0, 1}” of dimension at least n—t.m and that different 
codewords differ in at least 2t+ 1coordinates (one says that the Hamming distance dy (c, c') 
between different codewords is at least 2 t+ 1). 


A decoding algorithm will map any word in {0, 1}" that differs in at most ¢ coordinates from a 
codeword c (which is unique by the triangle inequality) to that codeword. Hence, if a codeword ¢ 
is transmitted and the received word r differsfrom c in no more than f coordinates (dy (c, r) < 1), 
the receiver is able to recover ¢ from r. For this reason, ¢ 1s called the error-correcting capability 
of the code I'(G(x), GF(2”)). 


Any k Xn matrix of which the rows span a particular linear code is called a generator matrix of 
that code. It follows from this definition that the code can be described by 


{m.G | me {0, 1}*}. (11.2) 


Example 11.1 (Part 1) 


Let 0. be the primitive element in GF(2*) satisfying a4 +a? +1 =0.After having loaded the Mathematica 
package Algebra ‘FiniteFields‘ we can generate the log table of GF(24) with the functions 
MatrixFormand PowerList. 
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COPHSHOHHHHoOoSH 
FPrRPOrPOrPFPRFPFrFPaaGaras 
BPOORPRFPOrRPOFRPRPRPR GOOG 





Consider the binary Goppa code (G(x), GF(2*)) of length 16 defined by G(x) = x* +x +a@. That 
G(x) is indeed an irreducible polynomial over GF(24) can easily be checked with the Mathematica 
functions GF, Table, and TableForm because it suffices to show that G(x) has no linearfactors. 





(0, 1, 0, 0}, 
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fo, 1, 0, 0}; 
{o, 0, 1, 0); 
{45-1 1; Lh 
{i,°0, 1, 0}, 
{1, 0, 1, 0}; 
{1, 1, 0, 0}; 
{0, 1, 1, 1}; 
{1, 0, 0, 1); 
{o, 121,/1h 
{1, 1, 1, 1}, 
0 {1, 1,0, 0}, 
i (Oo, 0, 0, 1}, 
12 (0, 0, 1,0}, 
13 {1, O;-0.°1)5 
14 {O, 0, 0, 1}, 


Krew oda ee ee 


To determine the inverses I /(x -— w) (mod x +x+a) in (11.1) we use the Mathenwtica package 
Algebra ‘PolynomialExtendedGCD ' 





and the Mathematica function PolynomialExtendedGCD. For instance, 1/(x - a?) (mod 
x? +x +a@) can be found by 


r ae ar iia = 





(L.4(0- 4; we Liste (178 1, 1 fi, 1, 1.1355) 


With the logarithm table above we can rewrite these coefficients as follows: 


O014+1l.@t+0.a+1a =a", 

Ll+hat+L.ae+1ae=za. 
Itfollows from (A.8) that 

(x -—@) (a! +a x) +a°.G(x) =1, 


1.€. 1/(x-@3) =a@!9 +a°x. This can be checked with the Mathematica function 
Polynomial Mod 
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{L, 0, oO, O}- 


We express all the inverses 1/(x —w), w © GF(2*), in this way as polynomial: gi) + gy? x, by 


means of 





1}. (0, O, 2, 1}3)} 


(1, {{0, 0, 1.2}, +240, 0, 1 


{l, {x {0, O, Ll, l}g. [0. 0, 1, L}5}} 


0 
{1, {{0, 1, 0, 1), +x (0, 1, 1, 035, (0, 1, 1, O}9}) 
{1, {{0, 0, 0, 1),+x{1, 0, 1, 0}, {1, 0, 1, O}2}} 
{1, (£0, 1, 0, Ty + (1,4. 1. Ug (1; 2, 1, Li5}} 
{1, {{1, 0, 1, O}),+x{1, 1,1, 1})3, {1, 1, 1, 1}9}} 
{1, {x{0, 0, 0, 1),+{(0, 1, 1, O}5, {0, 0, 0, 1}5}} 
1, 1, O}3, {1, 1, 1, 0}3}} 
O, 1, 1}g, (1, 0, 1, 1}3}} 
1, 1, O}5, {1, 1, 1, 0}3}} 


{i1, {x {1, oO, 1, O}>5 + {1, 0, Ll, Lia. {l, O, 1, O}a}) 


{1, {{1, 0, 0, O),+x{1, 
{1, {{1, 0, 1, O}, +x (1, 
{l, {{0, l; Lis O},+x {1, 


{1, {x {6, 0, 0, 1)5+ (0, 1, 1, 1}5, {0, 0, 0, 1},}} 
{1, {{1, 0, 1, 1},+x (1, 1, 0, 0}5, (1, 1, 0, 0}5}} 
{1, {{0, 0, 1, 1},+% (0, 1, 1, O}5, (0, 1, 1, 0}3}} 
{1, {{0, 6, 0, 1},+x{1, 0, 1, 1}3, {1, 0, 1, 1}5}}-. 
{1, {{0, 1, 1, 1}.+x{1, 1, 0, 0}3, {1, 1, 0, O}5}} 


(w) 10 
a 
and put them as columns | a in a 2x16 matrix H. Note that 1{(x —a@?)appears as ( , jin 
8) 


column 5, because the first column corresponds to @ = 0, the second column has index w = 1, etc. 
( BIE GU. GIO Gs ie gl He 95 Bo ge BI ok Gil Bie 78 A 
14 ald ald a? 76 G6 p72 7 gl! 7 99% ool? ol? gil oP 


a a 
Here, we have made use of the log table of GF(2*), computed earlier. 
The defining equation in (11.1) can be rewritten as 


DV eceeole. + gi? x)= O(mod x’ +X +), 
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or, equivalently, as 

(de eGR(2t) Cw gy) + (DY eGFiot) Cw gi) x = O(mod 2 +x +2). 
So, we have two linear equations for ¢ =(¢C.),, eGF(24)" 

yen =O and Y cngeoe =O 
These two equations can be efficiently denoted by 

H.cl = Q. 


Expressing each power of aas binary linear combination of 2, a, a7,and @%(or using the output 
of the PolynomialExtendedGCD-calculations directly) gives the 8xl6binary matrix H ': 


0000010110101000 
0010101001010001 
roooorrorlrisyii1ed 
[rorrtr1o0000Trriitly 
daa ee ae a ae ae ee | 
0010110101001101 
PUL EL POPE LEO PIO 
L100TIIO0L10010010 


So, another way to describe ['(x° +x +a@, GF(2*)) is 
C=(ce (0, I |H'cl = Q"). 


It is not difficult to check that C is a binary, linear code of length 16, dimension 7 and minimum 
distance 5. 


We call a matrix H whose nullspace is a particular linear code C a parity check matrix of C. We 
write 

C= {ce (0, 1)" | Hcl = 0"). (11.3) 
The syndrome of a received vector r is defined by: s’ = H.r’. 
The number of irreducible polynomials of degree t over GF(2”) is about 2” /t (see Corollary 
B.18). So, a randomly selected polynomial of degree t over GF(2™) will be irreducible with 
probability 1/t. Since fast algorithms for testing irreducibility (see [Berl68], Ch. 6 or [Rabi80]) 


exist, one can find an irreducible polynomial of degree t over GF(2),just like in Algorithm 9.3, 
by repeatedly guessing and testing. 


11.2. The McEliece Cryptosystem 


Based on the theory of error-correcting codes, McEliece [McE178] proposed the following secrecy 
system. 
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11.2.1 The System 


Oo Setting Up the System 


1) Each user U chooses a suitable Goppa code of length ny = 2’ and with error-correcting 
capability ty. To this end, user U selects a random, irreducible polynomial py({x)of degree tyover 
GF(2”") and makes a generator matrix Gy of the corresponding Goppa code I'(py(x), GF(2””)). 
The size of Gy is ky Xny. 


2) User U chooses a random, dense ky Xky nonsingular matrix Sy and a random ny Xny 
permutation matrix Py and computes 


Gy = Sy Gy Py. (11.4) 


3) User U makes Gj, and ty public, but keeps Gy, Sy,and Py secret. 


0 Encryption 


Suppose that user Alice wants to send a message to user Bob. She looks up Bob's publicly known 
parameters Gz (of size kg Xng) and tg represents her message as a binary string mof length kg. 
Next Alice chooses a random vector eg (error pattern) of length ngwith at most ftgcoordinates are 
equal to 1. As encryption of m Alice sends to Bob 


r=m.Gpte. (11.5) 


(One usually says: the weight of eis at most tg,denoted by wy (e) s tg, where the weight function 
w counts the number of non-zero coordinates in a vector.) 


o Decryption 


Upon receiving c, Bob computes with his secret permutation matrix Pp 


_| (LS) ) (LA) 


r.Pp m.G3(Pg) | + e(P3) m.Sp Gg Pg Pg! + e' = (m.Sp) Gp te’. 


where e'= e.Pp7' is a permutation of g, so it also has weight ( < 2)g. With the decoding algorithm 
of the Goppa code I(py(x), GF(2™’)) Bob can efficiently decode r.Pg™!.He will find ¢'as error 
pattern and can retrieve m.Sg. Multiplication of this expression on the right with Sg7! (known to 
Bob) yields the originally transmitted message m & {0, 1}*8. 
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11.2.2 Discussion 


C Summary and Proposed Parameters 


The McEliece cryptosystem introduced in the previous section can be summarized as follows. 


Public G; and ty of all users U 
G7, has size ky x ny 
Secret Py (x), Sy, and Py by eachuser VU 
Property Sy + GZ Py is the generator 


matrix of the Goppa code 
defined by py (x) of degree ty 


Format of message me {o, 1)" 
of Ann to Bob 


Encryption c¢=mMm.G3+e, 
weight of eis < tz 


Decryption compute c'! = ¢.P,+ 
decode c' to findm' =m.Sp 
computem'.S,l=m 


The McEliece cryptosystem 
Table 11.1 


The reason that an error pattern e is introduced in (11.5), is of course to make it impossible for the 
cryptanalist to retrieve mfrom cby a straightforward Gaussian elimination process. 


McEliece suggests in his original proposal [McE178] to take mg = 10 (so ng = 1024) and tp = 50 
(so kg ~ 1025 — 50x 10 = 524). 


oO Heuristics of the Scheme 


The heuristics behind this scheme are not difficult to guess. Take a sufficiently long, binary, linear 
block code, that can correct a large number, say f, of errors and for which an efficient decoding 
algorithm exists. The code should belong to a large class of codes, making it impossible to guess 
which particular code has been selected. Let n be the length of the code and k its dimension. 
Manipulate the generator matrix to such an extent, that the resulting matrix looks like a random 
kxn matrix of full rank. The decoding complexity of a randomly generated code with these 
parameters should be infeasible. In the next section the complexity of several decoding methods 
will be discussed. 
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In [BerMT77] it 1s shown that the general decoding problem of linear codes, 1.e. how to find the 
closest codeword to any word of length n, 1s NP-complete. We shall not explain what this notion 
means exactly. We refer the interested reader to [GarJ79]. 


Here, it suffices to know that this characterization implies that no known algorithm can decode an 
arbitrary word to its closest codeword neighbor in a running time that depends in a polynomial 
way on the size of the input. 


Moreover, if one were to find such an algorithm, it could be adapted to solve a large class of 
equally hard problems. 


O Nota Signature Scheme 


The encryption function of the McEliece cryptosystem maps binary k-tuples to binary n-tuples. 
This mapping is not surjective. Indeed, for the proposed parameter set the number of vectors of 
length 1024 at distance < 50 to a codeword is 


k 350 ,] _ 9524 350 oe 7808.4 
2 1=0 (' ae 2 di=0 i Si 2 ; 
which is an ignorable fraction of the total number of 1024-length words. So, the (secret) function 


Sy mentioned in Property PK4 (in Subsection 7.1.1) is not defined for most words in {0, 1}". 
Consequently, the McEliece system can not be turned into a signature scheme. See, also Table 7.2. 


11.2.3 Security Aspects 


We shall now discuss the security of the McEliece cryptosystem by analyzing four possible attacks 
on the specific parameters that McEliece suggests. (The most powerful attack at this moment 
seems to be [CanS98].) 


_M= 1024; k = 524; t = 50; 


CO Guessing Sg and Pz 


As acryptanalist, one may try to guess Sg and Pg, to calculate Gg from Gz by means of (11.4). 
Once Gg has been recovered, it is not so difficult for the cryptanalist to find the defining Goppa 
polynomial py(x) of the Goppa code T'(py(x), GF(2””’)) that has Gg as generator polynomial. One 
can now follow the decryption algorithm of Bob to find the transmitted message m. 


However the number of invertible matrices Sz and permutation matrices Pg is so astronomical 
(1d (24 - 2°) resp. n!), that the probability of success of this attack is smaller than the probability 
of correctly guessing vector mdirectly. 
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O Exhaustive Codewords Comparison 


The cryptanalist can compare the received vector r with all 2* codewords in the code generated by 
Gz. Let ¢ be the closest codeword. It is at distance x tfrom r(by the encryption rule (11.5)) and is 
unique because the minimum distance of the code is at least 2+ 1.It also follows from (11.5) that 

¢=m.Gp. With a simple Gaussian elimination process one can now retrieve the transmitted 
messagem from ¢, 


This approach involves the following number of comparisons! 





5.49181015" 


Example 11.2 (Part } 


Consider the binary code oflength n = 7 and dimension k = 4, generated by 





and suppose that r =(J, 1, 0, 0, 1, 0, [is a intercepted ciphertext which is a codeword ¢ plus an 
error vector of weight at most I (so t = 1). 


We shall compare r with two codewords (instead of 2* = 16)anduse again the Mod function: 





(ty tpt a a ad 


(0, 0,0, 2, 0;°2;70} 


So, ¢ =4).G lies at distance 22 from r, which is too much. 
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iz2={1, 0, 1, 0}; 
c¢ = Mod[iz.G, 2] 
| Mod[r-c, 2] 


(1, 6, 1, 0, 2, 9, 1) 


Now ¢€ =iy.G lies at distance 1 from rand we conclude that (1, 0, 1, 0) was the transmitted 


information. 


0 Syndrome Decoding 


The cryptanalist may compute the parity check matrix Hg corresponding to Gy from the equation 
Hy.Gp = O (see (11.3)). It has rank n —k. Next, generate all error vectors e of weight at most f, 


compute the syndrome Hp e’ for each of them, and put these in a table. 


For the intercepted vector r one first computes the syndrome s' =H.r'. From the table one can 
find the corresponding error vector e. Subtracting efrom rone gets the codeword c = m.Gp(see 


(11.5)). With a simple Gaussian elimination process one can now retrieve the transmitted message 


m from this vector c. 


The work load of this attack is 57% (;) 


50 
w[)\Binomial[n, i], 5] 
iad 


= 





4.3623~=1079 


Example 11.2 (Part 2) 


The parity check matrix of the code introduced in Example 11.2 is given by 


11021 1 0 0 
Hell O 11 0 1 Oj 
Oi ti 6.0.2 


| 
| MatrixForm(|(H] 
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orr 


as can be checked with the Mathematica function Transpose (and MatrixForm) as follows 


y- & e 
Fre 
eee 


oof 
Hr & & 
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oo oOo & 
oo 2 


Next, we generate all error vectors ¢ of weight <1 and compute their syndrome Hj e'. We put 
these in a table. Apartfrom the Mathematica functions Mod, Do, and Print, we also make use of 
ReplacePart, which replaces the i-th coordinate of e by the specified value (here its 


compliment). 





{ 0, 


{1L, 
(0, 
(0, 
(0, 
(0, 
[0, 
(0, 


With this table it is now easy tofind a codeword at distance < I from r. 


0, 0, 0, 0, 0, 0} 


0, 0, 0, 0, 0, 0} 


i 0, Oo, 


0, 1, 0, 
0, 0, 1, 
0, o, QO, 
0, 0, O, 
o, O, Oo, 


0. O, 0} 
0, 0, 0} 
0, 0, 0} 
1, 0, 0) 
0, 1, 0} 
0, 0, 1) 


{o, 0, 
{1, 1, 
{1, 0, 
(0, 1, 
{1, 1, 
{1, 0, 
{0, 1, 
(0, 0, 


0} 
0} 
1} 
1) 
1} 
O} 
0} 
1} 
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{1, 0, 1} 


This is the syndrome corresponding to e = (0, 1, 0, 0, 0, 0, 0), so the closest codeword is given by 





{i, 6,-1, 0; 1, 6, 1} 


Since the generator matrix G in this example has the form I4|P), we can recover the transmitted 
information mfrom the first four coordinates in ¢: 


m=, 0, I, 0). 


oO Guessing k Correct and Independent Coordinates 


The cryptanalist selects k random positions and hopes that they are not in error, i.e. he hopes that e 
is zero on these k positions. If the restriction of matrix G3 to these k positions still has rank k, one 
can find a candidate m'’ for the information vector m with a Gaussian elimination process. 


If the rank is less than k it will very likely still be close to k (see Problem 11.2). So, the Gaussian 
elimination process will either lead to only a few possibilities for m' or to no solution at all. 


For each possible candidate m' compute m'.G; and check if it lies at distance <tf from the 


intercepted vector r. If so, one has found the correct m. 


The probability that the k positions are correct is about (1 —t/n)*. The Gaussian elimination 
process involves k? steps. So, the expected workload of this method is 





4.5504x1079 


Although this attack is the most efficient thus far, it 1s still not a feasible attack. 
Example 11.2 (Part 3) 


Guessing that coordinates 2, 4, 5, and 7 are error-free in Example 11.2 we use the Mathematica 
functions Transpose and MatrixForm to get the restriction G' of the generator matrix G to 
this guess and the restriction r' of the intercepted vector r of Example 11.2 to this guess. 
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Sa ee ey eT 
B . o. yl 





“41,0, 1,2} 


We use the Mathematica functions LinearSolve, NullSpace, and Transpose to see if the 
equation 





he » a 
a - « " 
, ‘ a 
d ’ aa . P 
. {} she ; : 2 
i ? 2 » Pe 7x-5 © p. - 5 ee | F . 
’ : 7 "y Ae 1 - i ia 


has a solution. 


Apparently the restriction of G to the four coordinates has full rank. The solution (0, 1, 0, 0) gives 
rise to a codeword that has distance = 2 tor. 





* Se Tl ae oe cere 7 ae 


PF ; i ae iris, Shes a oe es ih * ba wren hae sae cach : i oir aa 2 ns 
piel. he Ook ee ee erie ie eR ber a 
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Let us now try another guess. 





ecooR 
oreoo 
al = oe! 
PRrE oo 


fore 


_— 3 ' ss a Z i OF es : UP 
Tat a f] a3 . 
> =f og =) a Ser = ce = st al ’ Tag | el la a er ae a> ae ee 
Be tack 5, A eo ae Ere & ied na Ciao kt Be 





{1, 0, 1, 0} 


ee 


The solution (1, 0, I, 0) now turns out to generate a codeword at distance < 1 to r. 





{0, 1, 0, a, 0, 0, 0} 


We conclude that (1,0, 1,0) was the transmitted information. 


To let Mathematica make guesses’ one first has to load the package 
DiscreteMath '‘Combinatorica* 





and one can then use the Mathematica function RandomK Subset. 
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| Random Subset[{1, 2, 3, 4, 5, 6, 7}, 4] 


{2, 3, 4, 6} 


O Multiple Encryptions of the Same Message 


It is not safe to encrypt the same message several times with the same encryption matrix Gg. To 
see this, let us consider two different encryptions of the same message m, say r=m.Gz+e and 
r'=m.Gpte! (see (11.5)). On the coordinates where rand r' disagree, we know for sure that 
either e or e' has a 1. On the coordinates where rand r'agree, we know almost for sure that both r 
and r! are error-free. 


To be more precise, if the error vectors eand e'are truly randomly chosen, as they should be, one 
expects the following values 


On 
t?/n 


Nn 
(0, 4) oF (7, 0) 
a ae ee ee 


For instance, when the parameters are n = 1024 and t= 50, one expects e; = e;'= 1 on roughly 
507 / 1024 = 2.44 coordinates. 





Also, one expects 





ss — ee a eae ee Se een eres 
| 


| m= 1024; t = 50; | 
N[(n-t)?/n, 3] | 


926. 


coordinates where rand r' agree. At most three of these coordinates are likely to be corrupted. 


By removing in every possible way #7 /n coordinates from the coordinate set where rand r'agree, 
one almost surely finds a coordinate set that is error free and on which the matrix Gj still has full 
rank (see Problem 11.2). With a simple Gaussian elimination process one recover m from r. 


When the same message has been encrypted more than two times, it 1s correspondingly easier to 
break the system. 
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11.2.4 A Small Example of the McEliece System 
Example 11.1 (Part 2) 


The Goppa code I(x? +x +a, GF(2*)) of Example 11.1 has a generator matrix G that can be 
computedfrom the parity check matrix H by means of the Mathematica function Nullspace. 


vpn ee Pe oe rs ae ee a Be Tae 
iin A 5 2 ‘ a = oy As * 





ee eee ee 
Mooooeaos 


ecorPrRPRFREs 
For FY oe Oo 6 
orFPooococ sas 
oorFoO coco. 
eoogo orca 
ooeeoocor 


t-4 
1 0 
i: 
0 0 
od 
04 
0 1 
1 0 


oF OFF FE OH 
a & 


The generator matrix G of I (x? +x +a, GF(2*)) will be transformed into G* =S8.G.P, where S is 
an invertible matrix and P a permutation matrix, asfollows: 


253 


OO 1.0204 O88 4 2-4 


Lee A er eG 1 Os bei Pee 


25 Oo I Oe Lo 2 
Lelio oO tee Te0 De 1 0.1 OO oO 


eed SO bap rod Ee Teed 
6) Se Oa Oe Eee ee 8 eh de 1 
220 1° O-Dea 1s led) 1-8-0020 OO 
dood 2 TO eee. 2-0 ta .o 0 ef" 8. 0 


120-151 





A possible encoding of the information sequence (1, 1, 0, 0, 1, 0, 0, 1) is given by 


f 
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{1, 0, 0, ae aks lL, My he Ree hs ky 2 - 0; 8, 0} 72 


Note that errors have been introduced at coordinates 5 and 9. 


An eavesdropper has no efficient algorithm to find the information vector m from the word cw. 


The legitimate receiver will first compute cd = cw.P~! with the Mathematicafunction Inverse. 





(1, Oy 8, oy dy O01, 0,-1.2, 3,0, 0,.0,-1) 


Next, this vector has to be decoded with a _ decoding algorithm of the Goppa_ code 


U(x? +x +a@, GF(2*)). Such a method has not been discussed here. The outcome turns out to be 


the vector m' = (1, 0, 0, 0, 1, 1, 1, 0}. This can be checked by computing m'.Gand compare that 
with cd. The difference is an error vector err’ of weight 2 which is exactly err.P~'. 





~40,.0, 0; 1; 9,0, 0, 1, 0,.0, 6,0, 0, 0, 0; 0} 


{0, 0, Oo, Ls 0, 0, 0, 1; 0, QO, 0, 0, 0, 0, 0, 0} 


To find m, the legitimate receiver computes m'.S~!. 





{1, 1, 0, 0, = Oo, 0, 1} 


This is indeed the original message. 
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11.3. Another Technique to Decode Linear Codes 


A large research effort has been made in the past to find decoding algorithms for general linear 
codes. The McEliece cryptosystem has only intensified this quest. Most of these algorithms are of 
the type that was discussed before: find & coordinates where the generator matrix has full rank and 
where the received vector is error free. Such a technique is called information set decoding. 


Here we describe a technique introduced by Van Tilburg [vTbu88] (see also [LeeB88}]). 


Algorithm 11.2 Bit Swapping Technique 

Let G be the generator matrix of a binary code C of length n, dimension &, and minimum 
distance d, 

Let r=¢+¢ be a received vector, where ¢ € C (say ¢ = mG) and ¢ has weight at most 7, 
wih2r+led. 


Step 1: Apply surtable elementary row operations and a column permutation to G to 
bring G in so-called standard formi.e. 5.G.P = (/, |.A). 

| Put r= 2 and write fF’ = (f,', &'), where cr)" has length &. 

| Note that r = m.G.P + ¢.P = mS7'(h, | A) + ¢', where ¢ and ¢’ have the same weight. 


Step 2: Put ¢c’ = 2) (i, | A). The first & coordinates of c' and f are identical. 


Step 3: If ¢ and f differ in at most coordinates, conclude that the first k coordinates are 
error-free. Compute yy from r' = mS! with Gaussian elimination. 
Let the algonthm terminate. 


Step 4: If ¢ and / differ in more than f¢ coordinates, pick a random row index 
i, 1 sik, and column index j, 1 = jaa—-k, with A,, +0. Construct a new matrix G 
from (J, |. A) by interchanging the j-th and the (A + /)}-th column of G (the i-th column of 
/, 18 swapped with the j-th column of A). 

Return to Step 1, but use there only elementary row operations with the i-th row to bring 
the matrix in standard form again. 





Let us demonstrate one cycle of the above algorithm. We continue with Example 11.2. 


Example 11.2 (Part 4) 





70-0 0 1 1:9 
ie 0100101 i 

00 10 01 iif 

Oo 0 @°1 11 21 


| MatrixForm[G] 
re({i, 1, 1, 0, 1, 0, 1} 
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LTO O..0¢2-08 50 
9100101 
0.0.1.0 ,0- 11 
0.0. O.1\ 1 LT<1, 


{1, 1, 1, 0, 1, 0, 1} 


The matrix G is already in standardform. We also see that the firstfour coordinates of r lead to a 
codeword c' that has distance 2 to r. 





{1, 1, 1, 0) 


{i, Ll, 1, 0, &, 0, 0} 


{0, 0, O, O, 1, 0, 1} 


To make a swap we pick G25 as non-zero entryfrom columns 5-7 in G. We perform a swap of the 
2-nd and 5-th column of G, by using the function: 





oroo 
oorea 
-PrPeEo 





Hor 
Hoo o 


eoor 
rPrRPeOPr 


To bring this in systematicform we use the Mathematica function RowReduce. 
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oeor 
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Fo, PE 
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orrR 


In order to analyze the complexity of the bit-swapping algorithm, we let Pr{/ + |?) denote the 
conditional probability that exactly /+uof the first k positions of gare in error after a swap given 
that precisely / were in error before the swap (u = —1, 0, 1). 


Let a = min {t, k}. Then the following straightforward relations hold: 





PrJ-1[)=2tx Se, ifl</<a, (11.6) 
Pri+ij{)= xt, if1<!<a-1, (11.7) 
ean aaa meee: ifl<!l<a-l, 

ae 1=Prl— 110, if I= a. a! 


Example 11.3 (Part } 


Consider a (binary) code with parameters n = 23, k = 12, and t = 3. Then a = min {k, t} = 3. The values of 
Pril —1|)) and Pri +1|) can be computed (and printed) from (11.6) and (11.7) with the Mathematica 
functions Min, Do, and Print. 





Pr(2/3)}= 


2 
4 
a 


Pr (1|2)== 


| 


Pr (0/1) =e 
See 
Pr(312)=— 
Pr(2|1)== 


Note that the probability ofa successful swap gets smallerfor smaller values ofl. 
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aig) 





| (11.10) 





Proof: 


The first equality in equation (11.9) follows directly from the definition of Pria—1|a). The 
second equality follows from (11.8). 


To show (11.10), we note that from state /- | there are three possible directions for the algorithm 
to follow: 


1) withprobability Pr(/ — 2 |? — 1) 1t goes to state /-— 21n one step. 


11) with probability Pr(/-—1]|/— 1) it stays in state /- 1 and so one can expect the algorithm to 
reach state 7-2 in 1 + N;_, steps. 


111) Withprobability Pr(/|/— 1) it goes back to state / and so one expects it to reach state /-—2in 
1 +N, +N). steps. 


The above proves the following recurrence relation 
N)-) = Prdd- 2[2—1).14+ Prd — 1] 2-10.41 + Mey} + Prd [2 - 1.1 +N + My}, 
which reduces to (11.10) because Pr(/-2|/-1) = 1-Prdd—1]2- 1)-—Prdd|i— 1). 


Note that in the calculations of N; only probabilities of the form Pr(i — 1 | 7) play a role. 
Example 11.3 (Part 2) 


Continuing with Example 11.3, we see that the values of N; can be computed recursively with 
(11.9) and (11.10). 





Numb (3) =4 


Numb (2) = 42 
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Numb (1) = +22" 





mined) 





Proof: 


The expected number of steps to reach state 0 when one starts in state j, 1 < / < a, 1s given by the 
expected number of steps to reach state j- 1 from state j, plus the expected number of steps to 
reach state j-— 2 from state j— 1, etc. This explains the inner sum in (11.11): 


Nj +N,-1 +...+N. 


The probability of starting in state 7 is equal to the probability that a randomly selected k tuple 
contains j errors. This probability is equal to the fraction of the number of f-tuples out of n that 
have intersection j with a given k-tuple (and intersection tf — j with the other n—-k positions). So, 
this probability is given by 


() 


Now, take the product of the two factors above and sum it over all values of /. 


Example 11.3 (Part 3) 


It follows from Theorem 11.4 that the expected number of swaps that are needed in a code with 
n = 23, k = 12, andt =3 (as introduced in Example 11.3) to get 12 error-free coordinates is given 


by: 
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The above bit swapping algorithms gives a significant improvement (also asymptotically) over the 
methods explained in Subsection 11.2.3. For the strongest result in this area we refer the reader to 
[BaKT99]. 


11.4 The Niederreiter Scheme 


The Niederreiter scheme [Nied86] is a variation of the McEliece cryptosystem. It applies the very 
same idea to the parity check matrix of a linear code. The scheme is summarized in the Table 11.2 
below. 


So, again we have a Goppa code I(py(x), GF(2”)), (see (11.1)) defined by user's U Goppa 
polynomial py(x) over GF(2”) of degree ty. Let Hy be a parity check matrix of this code. It has 
size (ny — ky) xXny, where ky is the dimension of the code. 


The code I[(py(x), GF(2”)) is t,-error correcting which implies that every vector y of weight 
(sf), has a unique syndrome Ay.y. Existing decoding algorithms for Goppa codes find y 
efficiently from its syndrome. 


Just like in the McEliece system, the structure of the Goppa code has to be hidden from the matrix 
Ay. This is done by computing 


Ay, = Sy Ay Pu, (11.12) 


where Sy is a (ny —ky)X (ny — ky) invertible matrix and Py a permutation matrix of size ny (see 
(11.4)). 


The matrix Hj, has to be made public, together with the value ty. 


If Alice wants to send a message to Bob, she looks up Bob's public parameters Hg and tg. She 
represents her message by means of a (column) vector mof weight (<f)g.She computes y = Hp.m 
and sends that as her ciphertext to Bob. 


Bob first multiplies v on the left with S3'. He obtains v'= S3! m= Hg (Pgm) by (11.12). Since 
Pg m is a permutation of m, and thus also of weight ( s f)g,the decoding algorithm of Bob's Goppa 
code will find m! = Pgm efficiently. The message m can now be recovered by multiplying m! on 


the left with Pp. 
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Public H; and ty of all users U 
H5 has size (ny - ky) xny 
Secret Py (x), Sy, and Py by eachuser U 
Property Sy } Hi Py is the parity check 


matrix of the Goppa code 
defined by py (x) of degree ty 


Format of message me {0O, 1}78 
of Ann to Bob weight (m) < tg 
Encryption v= Ap: 
Decryption compute y' = Spi.y 


use decoding algorithmto 
findm' with H3Z.m‘ =v' 
compute m'.Ps + =m 


The Niederreiter cryptosystem 


Table 11.2 


11.5 Problems 


Problem 11.1 

What is the probability that & columns in a random kxX»binary matrix have rank k? How about the 
probability that k + 1 columns in this matrix have rank? 

Compute these two probabilities for n = l6and k = 5. 


Problem 11.2 
Let C be a linear code of length n = 23 and dimension k = 12. Assume that at most three errors have 
occurred. What is the complexity of the various attacks described in Subsection 11.2.3. 


Problem 11.3” 
Let C be a linear code of length 11 and dimension 6. Suppose that two errors have occurred.How many 
swaps are expected to get 6 error-free coordinates if one follows Algorithm 11.2? 
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12 Knapsack Based Systems 


12.1. The Knapsack System 


12.1.1. The Knapsack Problem 


In [MerH78], Merkle and Hellman propose a public key cryptosystem that is based on the 
difficulty of solving the knapsack problem. Since then, other knapsack related cryptosystems have 
been suggested, most of which turned out to be insecure. An exception, up to now, is the Chor- 
Rivest scheme proposed in [ChoR85], but in [Vaud98] it is shown that the suggested parameters in 
[ChoR85] are also insecure. 


Definition 12.1 
Let a), az, ....a@, be a sequence of nm positive integers. Let also 5 be an integer. The 
question if the equation 


Xj) +4703 4+... +%,0, =5 (12.1) 


has a solution with each 2; in (0, 1} 1s called the knapsack problem. 


Note that we do not ask for a solution of (12.1), the question is only if there exists a solution. 
Finding a {0, 1}-solution to (12.1) 1s of course at least as difficult as just finding out whether a 
solution exists. 


For large n the knapsack problem is intractable to solve. In fact it has been shown that the 
knapsack problem is NP-complete (see [GarJ79] or a very short discussion in Subsection 11.2.2). 


For some sequences {a,}/_, it is not difficult to find a {0, 1}-solution to (12.1), resp. to show that no 


such solution exists. For example, with the sequence a; = 2'~!,1 <i <n, equation (12.1) will have 
a solution if and only ifO < S' < 2” — |. Finding the solution is very easy in this case. 


A much more general class of sequences {a;}/_; exists, for which (12.1) is easily solvable. This is 
the class of so-called super-increasing sequences. 


A sequence {a;}/_,; 1s called super-increasing, if forall 1 sk <n, 


LE a < ag. (12.2) 
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Algorithm 12.1 solves the knapsack problem for super-increasing sequences. It actually finds the 
solution {x;}/_, for each right hand side 5 for which (12.1) is solvable. The idea is very simple: 
since )7-] a; < dp, it follows that in a solution 

yi =| => SS 2a,. 
Now, subtract x,a@, from S and determine xX,-; in the same way. So, recursively for 
k=n-1,n-2,..., 1 

xya=l eS (S = pane X;.a;) = Ak. 
If at the end S — 33%, x;.a; = 0 one has found the solution to (12.1), otherwise one may conclude 


that (12.1) does not admit a solution. 


Algorithm 12.1 Solving the knapsack problem for a super-increasing sequence. 


input (xe )f.; 2 SUper-increasing sequence of positive integers, 
S integer 
initialize kon 


whilek= ldo begin 
if S = q then x, = | else x, = 0, 
puts = 35 — 1.0, 
putk=k-=-1 
end 
if § = 0 then print {x,}?_, else print "no solution" 


Example 12.1 (art 1) 

Consider the super-increasing sequence {a;}°., ={22, 89, 345, 987, 4567, 45678} and the right hand side 
S = 5665. To see if(12.1) has a solution we apply Algorithm 12.1. 

Because § < ag, we get x5 =0. Next, we see that S 2 as, so we have xs = 1. We subtract as from S and get 
1098. We see that this new value of S satisfies S 2 ag, so xq = 1, etc. The final solution is {1, I, 0, 1, I, 0}. 
Below the same process is written in Mathematica. We make use of the functions Length, While, If, 
and Join. The solution {x;}°_, is formed by prepending each newly found value x; to {x+1, .... x6}, 
f= 0,.9)..<05,.4. 











| KnapsackForSuperiIncreasingSequence/[a List, 8_] := 
Module[{n, x, KX, T}, 

n= Length[a]; X= {}; T= 8; 

While[nezl, 
Tf(Teal[(n)], = 1, B= 0); 
T=T-xeal[[nj]];7 
X= Join[{x}, X]);n=n-1); 

If(T !=0, Print["No solution"), X]}] 
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12.1.2 The Knapsack System 


O Setting Up the Knapsack System 


The knapsack cryptosystem, as proposed in [MerH78] is based on the apparent difficulty of 
solving the knapsack problem and the ease of solving this problem for super-increasing sequences. 


Each user U makes a super-increasing sequence {u;})", of length ny. Next, U selects integers Wy 
and Nz such that 


Nu > Lisi Mi (12,3) 
and 

gcd(Wy, Ny) = 1. (12.4) 
User U computes the numbers 

u,' = (Wy.u; mod Ny), lsis<n, (12.5) 
and makes the sequence {u;' i known as his public key. 
As a precalculation for the decryption, user U also computes Wy'mod Ny. 


The number W,;! mod Ny can be computed with the extended version of Euclid's Algorithm (Alg. 
A.8). Indeed, since ged(Wy,Ny)=1, this algorithm will give X and Y such that 
1 = X.Wy + Y.Nv. It follows that ¥.Wy = 1 (mod Ny), i.e. X = W,!. 


Each user keeps the super-increasing sequence {u;};/, and the numbers Wy, (W,)7', and Ny secret. 


Example 12.1 (Part 2) 


We continue with the parameters of Example 12.1. So, Bob _ chooses 
(b)}?_, = (22, 89, 345, 987, 4567, 45678} as his super-increasing sequence. Further, he selects 
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Ng = 56789, which satisfies Ng > ya b; and Wz = 12345 which is coprime with Np. 


Next, he calculates b;' = (Wg b; mod Ng). Here, we do this with the Mathematica function Mod. To 
check the conditions above we need the GCD function. 





tru a ee: aS sci COR IR ude RRS Thre a a pert ae a 
True ari Alpes jie, eran oe ie See od pn DX Siralg —* Atri 


i =e . all 


pimtee 





a =A yt ee 


(44434, 19714, 56639, 31669, 44927, (36929) 


at ar a ae Thee J. ieee ea .” 





So, {b;'}8., =(44434,19714, 56639, 3 1669,44927,36929} is the public key. 


For this small value ofng it already takes some effort to solve the knapsack problem (try 101077). 


The number Wg! mod Ng can be found with the ExtendedGCD and Mod functions. 
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O Encryption 


Suppose that Alice wants to send a message to Bob. She looks up the public encryption key 
{b;'}°2, of Bob. Next, she represents her message by a binary vector (m, mp, ..., m,,) of length mg 
(or by more vectors of this length if the messages is too long). 


Alice will send to Bob the ciphertext 
C = ¥3, mjd. (12.6) 
Example 12.1 (Part 3) 


We continue with the parameters of Example 12.1.So, Bob's public key is given by 
{b;')8_,; = (44434, 19714, 56639, 31669, 44927, 36929}. 


Let Alice's message be {m,}°_,; ={1, 1, 0, 0, 0, 1}. Then the ciphertext that she will send will be 
Yo, m.b;' = 101077. 





101077 


Q Decryption 


When Bob receives a ciphertext C he will first multiply it with Wg! and reduce the answer modulo 
Nz (both are his secret parameters). It follows that 


= (126) : (12.5) 
Wa C = Wa . ha m,.b, = pes m;.b; (mod Np). 


Inequality (12.3) implies that ))/2, m;.b; < Ng. So, we can rewrite the above equation as follows: 


X73, mj.b; = (Wz!.C mod Ng). 27) 


Since the sequence {b;};8, is super-increasing, Bob can now apply Algorithm 12.1 with 
(W3!.C mod Nz) as right hand side to recover the message {m,;}i, 


Example 12.1 (Part 4) 


We continue with the parameters of Example 12.1. 


Assume that Bob has received C =101077. First Bob computes (Ws !'C mod Nz)... with 
W,! = 39750 and Ng = 56789. 
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45769 


He gets 45789. To solve (12.1) 6 m,.b; = S, he can use _ the 
KnapsackForSuperlncreasingFunction defined earlier. 





O A Further Discussion 


The knapsack system 1s summarized in the table below. 


Public {u; '}32, of all users 
Secret to U {ui}321,, Wgl, Nu 
Properties u; '=Wy.u; (mod Ny), 


{u; '}}2, super - increasing, 
ged (Wy, Ny) =1 


Message for B {m;} 73; 
Encryption c=y i Lb; 
Decryption by B Apply Algorithm12.1to 


{u; '}32Z, and W,?.Cmod Ng 
The Knapsack Cryptosystem 
Table 12.1 


Even though the knapsack cryptosystem does not have the signature property, for a short while it 
gained an enormous popularity. The main reason is the low complexity of its implementation. In 
applications, both encryption and decryption can take place at very high data rates. 


The authors [MerH78] recommend the users to take length ny = 100, a sequence {u;};-4, satisfying 
(2) — 1) .2! <y,<2/.2', 1 <is 100, 
(it will automatically be super-increasing), and amodulus Ny such that 


210141 < Ny < 2702, 
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Note that also (12.3) 1s satisfied. 


It is further recommended that user U makes a permuted version {u;'};“, public instead of {u;'}74, 
itself to disguise the order of the original super-increasing sequence. In this way, a cryptanalist has 
no information about which element u;' in the public knapsack came from (the smallest knapsack 


element) u;, for instance. 


The idea of multiplying a super-increasing sequence with a constant Wy modulo Ny is of course to 
obtain a knapsack that looks random. To increase this effect and thus to increase the security of the 
knapsack cryptosystem, [MerH78] advises to iterate this multiplication. 


Hence, each user U also selects Ny > ¥74, u;' and 1 < Wy <N, with ged(W,,,Ny)=1, computes 
u;'' = W,.u;'(mod N,,), | <i ny, and makes {u;""}74, public instead of {u;'}-2,. 


It makes sense to iterate this process of modulo-multiplication, as is illustrated in the following 
example. 


Example 12.2 


Letn=3and consider {uj}3.) ={5, 10, 20). Multiplying this sequence with 17 modulo 47 gives 


{u;'}3_, = {38, 29, 11}. Multiplying this sequence with 3 modulo 89 gives {u;''}j-; = {25, 87, 33}. 


These calculations can be verified with the Mod function. 





fl, L, Oo, Ls lL, 0} 


It is impossible to find integers W and N that map {u;}}_, directly into {u;''}3_,. Indeed the 


congruence relations 


5W =25 (mod N), 
10W = 87(mod N) 


imply that N divides 87 — 2 X25 = 37. Since 37 is a prime, it follows that N = 37. It also 
follows that W =5. These values of W and N however violate the third congruence relation 


20W = 33 (mod N). 


This shows that an iteration of modulo-multiplications can not always be replaced by a single 
modulo-multiplication. 
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The above example also demonstrates something else. Note that the second iteration mapped the 
not-super-increasing knapsack {38, 29, 11} into {25, 87, 33}, which after a reordering is a super- 
increasing sequence. 


This also makes it clear that cryptanalist Eve does not have to guess the original integers Wy and 
Ny (and also W,, and Ny in the iterated case) to convert the public key back into a super- 
increasing sequence. Eve can also decrypt the ciphertext, if she is able to obtain another super- 


increasing sequence from {u;')"", (resp. {uj}; ). 
£ seq i=] ix] 


These observations demonstrate two important things: 
1) Iteration does not necessarily increase the security of the system. 


2) It may be easier for a cryptanalist to map the public knapsack into a super-increasing 
sequence other than the original. 


Some critics of the knapsack cryptosystem did not trust the linearity of the system. Their 
intuition/experience told them that the knapsack cryptosystem was bound to be broken. 


The reader should remember that the general knapsack problem is NP-complete. This implies in 
particular that no known algorithm solves it in polynomial time. However, the property of NP- 
completeness has never been proved for the restriction of the knapsack problem to the subclass of 
knapsacks, obtained by a single modulo-multiplication of a super-increasing sequence. In 1982, 
Shamir [Sham82] showed that the single iteration version of the knapsack system can be broken 
with very high probability in polynomial time. This attack was later generalized by others (see 
[Adle83] and [Bric85]) 


In Section 12.2, an outline of the much more general attack by Lagarias and Odlyzko [LagO83] 
will be given. 


12.2 The L°-Attack 


12.2.1 Introduction 


In the original knapsack cryptosystem it is assumed that the secret sequence {uj}; is super- 
increasing. However, this is not crucial for a knapsack-based cryptosytem. It only makes the 
decryption easy, because of Algorithm 12.1. The only essential requirement is that the plaintext-to- 
ciphertext mapping {m,};/, —>C in (12.6) is one-to-one. 


Since the general knapsack problem 1s NP-complete, no known algorithm solves it in polynomial 
time. Still, it is quite possible that polynomial-time algorithms do exist, which solve with some 
positive probability any knapsack problem in a large subclass of knapsack problems. Such an 
algorithm would make the knapsack system unsuitable for cryptographic purposes. 
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In this section, we shall often use the vector notation uw = (uj), U2, ..., u,) for a knapsack {u;}7_ 
Before we give an outline of the Lagarias and Odlyzko attack (also called the L?-attack) 
[LagO83], we have to define a few new notions. 


Definition 12.2 
The density d(y) of aknapsack p= (uj, 43, ..., W,) 1s defined by 


dw) = = 


eahales logz aj” 


Example 12.3 


For instance, the density of the knapsack {22, 89, 345, 987, 4567, 45678} is 6/log, 45678 =~ 0.39, as can 
be checked with the Mathematica functions Max, Log, Length, and N. 





The density d(u) serves as measure for the information rate of a knapsack system. Indeed, the 
numerator is the number of message bits that are stored in the sum C of the knapsack (see (12.6)). 
The denominator is a good approximation of the average number of bits needed for the binary 
representation of C. For instance, with uj; = ye. 1 <i<n,the density is n/(n— 1) ~ hs it should 
be. 


We shall show further on that the Lagarias and Odlyzko attack is more likely to break the knapsack 
system if its density is smaller. 


This may sound like a heavy restriction, but one should realize that nobody likes to use a 
cryptosystem that has a non-trivial positive chance to be broken. 


12.2.2 Lattices 


? ssl be a set of vectors in Z" that ae linearly independent over R, Then 
hie pet Of all integee bears ombinations of (vy, ¥), -... Zyl is called an imeger lastice. In 
formula: 








A={EL, a.wlae Z, lsisal 


A= £2.) + £99 +...+ £y,. 
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We say that the n independent vectors vy), V2, .... ¥, form a basis for the lattice A. Note that the 
basis of a lattice 1s certainly not unique. Normally, the order of the basis vectors does not matter, 
but in the sequel such an order will matter. We shall use the notation [y), v2, ..., ¥,] to indicate a 
particular ordering. 


Example 12.4 


Consider the lattice A in 2? with basis y =(3, 1) and y =U, 2). It consists of all points of the form 
a.(3, 1) + &.(1, 2), with a, 8 € &. Below part of this lattice is depicted. 





Lattice in R2 with basis (3, 1) and (2, 1) 
Figure 12.1 


For the L3-attack that we shall describe later on, it is of great importance to find a vector in A of 
short length, or even better to find a complete basis of short vectors for A. For this reason, we need 
to study basis transformations more carefully. 


The Gram-Schmidt process is a well known algorithm from linear algebra to transfer a basis 
{v1, ¥2, ..., ¥y} Of a linear (sub)space into an orthogonal basis, i.e. in a basis (uj, Wo, .--, Hn} with 
the property that all vectors yw; are orthogonal to each other, Le. (4, 4j) = 0, for i # J. It goes as 
follows: 

wi = V1, 


2 = Y2 —- #12 hh, 
3 = ¥3—- 413 h1 — 223 ka, 


ln = Yn — Bin Bt 7 2 2 — »-» — Bain Hn-1- 


where 
(v j adj) : : 
Hig = Ga’ lsisjsn. 
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Example 12.5 
To demonstrate the Gram-Schmidt process we take v; = (3, 4, 2), v2 = (2, 5, 2), and v3 =(/, 2, 6) in R?. 
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This can also be done in Mathematica. We first load the Mathematica package 
LinearAlgejbra ‘Orthogonalization’' and then run GramSchmidt. The result will be 
orthonormal basis, i.e. we obtain a set ofn orthogonal vectors uj; that have been further divided by 
their length to give them unit-length. 






year} aby te 


~ ns: RL A ck eh RRR Realy Ae 





As we can see in the example above, the vectors uj, 1 < isa, will, in general, no longer have 
integer coordinates. In the context of integer lattices that is an undesirable situation. 


In the next subsection we shall discuss an (integer-valued) basis for lattice A, that is not completely 
orthonormal, but has two other attractive properties. 
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12.2.3 A Reduced Basis 


Let |lul{} denote the standard Euclidean norm or length of a _ vector u. So, 
lull = (a w)!? = Oy uy”. 


Definition 12.4 

A basis {v), v2, --.. kel Of an integer lattice A is called y-reduced, where 1/4 < y < 1, if 
the orthogonal basis (yj, Wo, ---» Ha} Obtained from {p), Po, --., Ya) through the Gram 
Schmidt process satisfies 


Wa + pie wir IP yl IP, 2sisa, 
| (1, | 1/2, inden 


An alternative definition of a y-reduced basis can be given as follows. Let V, be the k-dimensional 
linear subspace of IR”, spanned by{¥), vo, ..., ve} or, equivalently, by {u), uo, ..., Ux}. 


Let V;* be the orthogonal complement of V;.Define vO k+l j <n,as the projection of yv;onto 
V;. In particular, ie = uz4;. Then it can be shown (see [LagO83]) that the two conditions in 
Definition 12.4 are equivalent to 


We? yey eR = yer IP, 2 sin, (12.8) 


resp. 


1 l -1) 2 5 
Ww —yP | < + hv? I, l<isjsn. (12.9) 


Note that (12.8) implies that the projection of y; onto V;~, should not be too small in size (when 
compared with the length of u;-,). The inequality in (12.9) says that the projection of y; onto u; Is 


relatively small. 


These two statements can be interpreted by saying that the vectors in a y-reduced basis are of 
comparable size and all point in different directions. 


In the sequel, y will always be 3/4. The L* — Algorithm (see [LenLL82]) is a very effective way to 
find a y-reduced basis for a lattice A. It will not be described in full detail here (see however 
Subsection 12.2.5). We quote the following facts from [LenLL82]. 


Theorem 12.2 

Let (x), #2. ---+ Ex} be a basis of an integer lattice A. in 2" and let B = max scx [lyyll. 
Then the L*-lattice basis reduction algorithm produces a reduced basis {w), wy, ..., wal 
for A in about n(log BY bit operations. 


Let (), Ho. ---. Hal be a reduced basis for an integer lattice A. 
llvn (Fs 297" min ( lal laze AVON. 
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In fact, Prop. 1.12 in [LenLL82] shows that no vector in a reduced basis can be very long. 


12.2.4 The L3-Attack 


We can now present the idea behind the L-attack. We want to find a solution to the knapsack 
problem >)”; x; a; = C (see (12.1)). 


The idea of the attack will be to convert the parameters of the knapsack problem into a basis of 
some integer lattice A. Then we find a short vector in this lattice with the L*-lattice basis reduction 
algorithm. The hope will be that this short vector can be transformed back into the solution 
{x;}, of (12.1). 


L} -attack on ¥."_, a; xj = S. 


Step 1: 
Define the vectors 
V1 = diy 0: sees U; oct = by Ne 
Vo = 40: dp wip Oy Bap, 
3 (12.10) 
Yn = (0, 0, ees Dy >in: 
VYn+1 = Loy oy coos op Se 


Together they form a basis for a (n + 1)-dimensional lattice A in Z"*!. 
Note that for the solution {x;}*_,one has 
Die) Xi Yi + Yat = (41, X2, ..+5 Xny 0). 


So, this vector has length Vn, which is relatively very short, e.g., if the knapsack has length 
n= 100 we have |f 0. xj) 4 +¥41 || < 10. 


Step 2: 
Find a reduced basis {w}, Wo, ..., w,}for Awiththe L*-algorithm ({[LenLL82)). 
Step 3: 


Check if one of the n+ 1 "short" vectors w;, 1 < i<n-+1,has the property that (w;),,, = Oand that 
each of the first n coordinates is either 0 or a, for some constant a. 


If so, check if the vector - ((w3)), (Wiz, -.., (wi),) IS a solution of (12.1). If it does, STOP, 
otherwise continue with Step 4. 
Step 4: 


Repeat Steps 1, 2 and 3 with S replaced by })”, a; — S. If these steps result in a solution {x;'}/_, for 
this new knapsack problem then {x;}_,, defined by x; = 1 — x;', 1 si<n_, will be the solution of 
the original knapsack. 
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Example 12.6 
Consider the knapsack problem with {a;}l2, ={541,400,259, 1059,895,590,498,973,4 1,649} and S = 4517. 


Let us first make the vectors y;, 1 sis 10, as indicated by (12.10). We use the Mathematica functions 
Transpose, Append, IdentityMatrix, Do, Table, andMatrixForm. 





@e {541, 400, 259, 1059, 895, 590, 498, 973, 41, 649); 

ge = 4517; : | 
aux = Transpose[ Append([IdentityMatrix[10], -a]]; 

| Do[v[i] = aux[[i)], {ig-2, -10}]3 
v[11] = Append[Table[0, {10}], s]; 
Table[v[i], {i, 1, 11}] // MatrixForm 








-S41 | 
-400 
<2o9 
-1059 
-895 
-590 
-498 
-973 
-41 
-649 
4317 | 


ooo omnoOrF oo Aa Oo eS 


Lt 
l 
U 
0) 
0 
0 
O 
0 
0 
0 
a] 


The vectors {v}, Y2, .-.. Yio} form the basis ofa lattice A. 


Next we use the Mathematica function LatticeReduce to find a reduced basis. 


LatticeReduce[ Table[v[i], {i, 1, 11}]] 


=. es Ss oe 





({1, -2, 1, 0, 0, 0, 0, 0, 9, 0, 0), 

fe15-0, a2, 0005026 00) , tO. Rb od deo Oe Oy, 
Ped 6d Ol Oy 1, eee is 
{1, Ly) -e2,°0, 0, 1, 0 


, 0, -1, <1, 6, 1}, 
{1, 1, -1,0, 0, -2, 1, :0, 0, 0,0}, 
{1, -1, 0,0, 1, 0, -2, 0, -1, 0, 1}, 
iO, 1, 0, <1, 0, 1,.-1, 0, -2, 1, 0}, 


(0, oO, =1l,-1, -1; 


10; T0454 2)3 
(1, -1, 0, 0, 0, 1, 0, 0 


a way -l, O}, {l, lL, 0, a La 0, 0, Ly 0, 1; O}} 


We see that only the last output is a two-valued vector on its first 10 coordinates. One of the 
values is indeed 0, the other value is a=I1. Trying out aie ={/, 1,0, 1, 1, 0, 0, I, 0, I} gives 
indeed }\7_,.a, x; = S. 
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208) ——= 


x = {i, Le 0, Le oO, 0, Ls; 0, L)}s 


a.x% == § | 





True 


The computing time of Steps 1 and 3 in the L*-attack is ignorable. Therefore, the running time of 
this algorithm is essentially (twice) the running time of the L*-algorithm, as given by in Theorem 
12.2. There is in no guarantee that the L*-algorithm will find a solution of the knapsack problem. 
However the authors of [LagO83] give the following analysis of the L?-algorithm. 


Theorem 12.4 
Let Bz 2!*" for some constant 6 > 0 and knapsack length m. Let K(n, 8) denote the 
number of knapsacks {a;)'_, satisfying 
lhl sas 8forall l sisna, 
2) the L?-attack will find a {0,1 }-solution {x;}", for (12.1) for each right hand side § for 
which there exists such a solution, 
Then 
A(a, B) = B(1 -— ef B)), 


where 


0< eB) < Ssh 


| for some constant C) and where C; = 1-(1 + By! > 0. 





Theorem 12.4 states that for any 6 > Oand nsufficiently large one can solve the knapsack problem 


for almost all knapsacks {a;}?_, with density 
n n ] 
dla) < Toe < eae 


With some additional work [LagO83], the inequality above can be weakened to 
d(laj}i) < (1 ~ ©) Toe. 


for any fixed € > Qand n.This inequality is probably not the best possible one. 


12.2.5 The L’-Lattice Basis Reduction Algorithm 


Recall that the L? -algorithm must find a basis {y1, v2, .--., ¥n} for an integer lattice that meets the 


requirement given in Definition 12.3: 
uit Mir wr IP = y-Mlwer IP, 2 sin, 


(lw), ,;1 1/2, lsisjsn, 
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(Usk) | 





where p;, ; = 


The L?-algorithm makes use of the following procedure: 


Procedure reduce[k, [] 
Input lsl<k 
Compute jy)» 
If (|), | > 1/2 then begin 
r= (0.5 + py] 
Ve = ey 
end 


The L?-algorithm now runs as follows: 


L?-Algorithm 
Input (v), Yo. -... Fa}, basis of integer lattice 
Initialize k=2 
Whilek<n do 


begin 
reduce(k, k — 1) 
compute || i ||, || we—1 || and pup 
if || we HP < Cy — py) I ea IP 
then begin exchange yy and vy_) 
k := max {?, k — 1} 


end 


else begin reduce(t, fi forf/=k£-1,...,2, | 


k=k+!1 
end 
end 


For further reading see [LenLL82]. Notice that only the basis {¥), vo, ..., ¥n}is adjusted in this 


algorithm. No vector u; enters the reduced basis, they are only used in the calculations. 
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12.3. The Chor-Rivest Variant 


The Chor-Rivest scheme [ChoR85] 1s a knapsack based cryptosystem that does not convert a 
secret knapsack, for which the knapsack problem is easy to solve, into the public knapsack, for 
which the knapsack problem should be intractable. It does make use of the standard conversion of 
integers to binary sequences of fixed length. Further, it employes a fixed constant, a fixed choice 
of an irreducible polynomial, a fixed choice of a primitive element, a fixed permutation, and an 
exponentiation in a finite field for which the logarithm problem 1s tractable. 


In [Vaud98], it is shown that the parameters suggested in [ChoR85] are not secure. The author 
gives suggestions to repair the original proposal. Here we shall only explain the original idea of the 
Chor-Rivest scheme. 


© Setting Up the System 


1) Each user U selects a finite field GF (q) for which the logarithm problem is feasible (also 
by the cryptanalist). For instance, in view of the Pohlig-Hellman Algorithm explained in 
Subsection 8.3.1, this can be achieved by letting g—-— 1 have only small prime factors. Further, the 
characteristic p of GF(q), so g = p* for some k, should satisfy p > k. 


To represent GF(g), U uses a random irreducible polynomial f(x) of degree k over Z,The 
elements of GF(q) can be represented by p-ary polynomials of degree <k (see Theorem B. 15). 


Note that, for reasons of clarity, we have omitted the subscript U in the above choices by U). 


2) User U selects a random primitive element ain GF(q). Primitive means that each non-zero 
element in GF(q) can be written as some power a! of a, where i<q-—1. Note that a, being an 
element in GF(q), is also a p-ary polynomial of degree less than k. 


3) For each i€ Z,, user U determines the discrete logarithm of the field elements x +i with 
respect to the primitive element a@. In other words, one needs to find exponents U;, iE Z,, 
satisfying 


ai = x+i(mod f(x)). (12.11) 
This is feasible by our assumption in 1). 


4) Finally, user U has to select a random permutation zy of {0, 1, ..., p— 1}and a random 
element Dy, 0 <= D < q— 1. He computes the numbers 


uj = Un + Dy (modg- 1). (12.12) 


and makes these numbers uo, 4, ..., #p-1 public together with the value gq = p*. 
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(The reader should recall that g ~ | is the order of the multiplicative group of GF(q), see Theorem 
B.20). 


Example 127 (Part 1) 


Bob selects the finite field GF(7%), so p =7 and k =3.An irreducible, binary polynomial f(x) of degree 3 
over £7 can be found with the Mathematica function IrreduciblePolynomial, once the package 
Algebra ‘FiniteFields ‘ has been loaded. 





So, f(x) =x +2x7 +x +4. It turns out that w =x is a primitive element in GF(7*). This can be 
checked as follows. From q —1 = 7? —1 =11 x31, we see that the order of any element is either 
I, 11, 31, or 342 (see Theorem B.5). But @ =x does not have order 11 or 31, as can be checked 
with the following calculations. (We use the GF-function. Note that f342 represents 
GF(7’) = 27{x\/(f(0).) 


A 
i ha 





(6, L, 3}, 


13, 3, &}5 


To get a random primitive element ain GF(77), Bob raises w to the power i with gcd(i, gq -1) = 1 
(see Lemma B.4). We use the functions Random, GCD, and While. 





239 
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We find i=239. The random primitive element will be a = a, which is 3 +4.x +5 x? by 


a) a wet Tae i 3 6 eS iac% oe) eer ee — es 12 = 
td * * ay era : q : ch rT oe ir! sy ert wilia Unog. ° 






ae 


is 


(3, 4, 5)> 


It follows from 83 X 239 = 1 (mod q —1) that w = a*?. 


To determine the numbers B; satisfying ai = x +i(mod f(x)) we use 





(83, 101, 175, 90, 170, 321, 213} 


We conclude that Bp = 83, B,; = 101, Bz = 175, B; = 90, Bg = 170, Bs = 321, Bs = 213. 
This can be checked with: 





20,45 Oleedied, Ole. 12) 1; 8s. 
‘i 1a, O},, {4, i O}5, {5, Ll, O}s, {6, Ly O}>} 


A few more things need to be done by Bob. He has to select a random number D, 0 sD <q -1, 
and a_ random permutation xz of {0,1,..., 6}. We load the Mathematica package 
DiscreteMath ‘Combinatorica‘ and use thefunction RandomPermutation. 





ipl Fe per Pb ae cca 


So, D =244 and a = {6, 3, 7, 4, 5, 2, 1}, meaning that 7U1) = 6, 7(2) =3,..., a(7) = 1. 


(The reader should watch out here. Mathematica labels the entries in a list starting with 1, while 
we start with 0. ) 
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The public key is given by the sequence (12.12): b; = Bz; +D. We use the functions Table and 
Mod. 





(321, 175, 213, 90, 0, 170, 101, 83) oe a ne oe eae ge rae 
(223, 77, 4s 334, 72, . 327). ng aca rads we mae ae Ry sacar ate oe 
Baise 3 etka yRoacdwie aes emi Moto. Lae a aa 


Bob makes {b;}° ?-g = {223, 77, 115, 334, 72, 3, 327}public and also k = 3. 


O Encryption 


Now suppose that Alice wants to send a secret message to Bob. She looks up the public parameters 


bo, bi, ..., Bp- and k of Bob. She calculates gz = p*. Alice's message is a number M in between 1 
p 
and ( k \ 


Alice represents her message (in a manner that is shown below) as a binary string 
mo, M,, ..., Mp_, Of length p and weight k (exactly k of the m,'s are equal to 1), so 


Dey mi = (12.13) 
Alice will send 

c = (D2)! m; b; mod qa). (12.14) 
Example 12.7 (Part 2) 


Suppose that Alice wants to send a message to Bob. She looks up Bob's public parameters k = 3 
and {b; "9 = (223, 77, 115, 334, 72, 3, 327} (see Example 12.7). So, she knows that p = 7 (and 
g =7? = 341). 


7 
Let Alice's message be M = 19 (which indeed lies in between I and ( 3): 


This can be represented by the binary sequence {m;}8-9 = {0, 1, 1, 0, 1, 0, 03, as shown 
below. 


The ciphertext c that Alice will send will be > m; b;, which is 264 in this case. 








aaah ae 
ed “i 


ROE Gg ae enone TRB Oa 

i Pogt ete ie aa (cael a eg ee ge oe ere 

Roe fee aye ie us balks i ae ieee 
pens Hi neh er FF ’ a al aes = "y = = = vt ne 

na P- te irre, | Rie = L pe nap 
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There is a recursive way to map a number M, 1 <M < () \ into a binary string mo, mj, ..., Mp-1 
of length p and weight k. It makes use of the well-known identity: 
p\ _(p-\ ( p- ) 
(Z)=( k }. k-1} 
If M > (* 7 


k 
-—] 
and (" k ,) and can be described by a string mo, mm, ..., Mp-20f length p— land weight k -1. 


| -1 
\ we put my_, = 1 and decrease M by (* k } This new value will be in between | 


— 1 
On the other hand, if M s ey |, put My-| = 0 and describe M by a string mo, mj), ..., Mp-2 of 


length p— 1 and weight k. 


‘Algorithm 125 Conversion from Af t0 may mi, Mp of weight k Se 
ess A Mi1sM =(i) Seer ergeee n ake) o7 rahe 


ki 


es tak Fi stat Dis sk” E ite ea sf : i ~ i ; ae a me: 

is nin. at ds he aig hog eae 
q trie. ee r - ‘ a Sekirei - : “ee ee sie. be 
eh, Fori= =1to pdo- (’ a } heey cote es ce Sipe rae ae ie 


oan if ae oe 


Sa tet esate it ag, 0. Pe 

a mda Ye — as My = re Deptt Ree 3 

Ite erred: |) > aS a BS z B rue ii one ane ne ai be 

va a. § [3 ea ae om Lae) oS: ae = -_ os 7 

aie ponies ou ak Farge ea gee. waa 2 ad (?- fone ees 

hee red Se cas Pa gt ee PnP grein Ol iM: ar fe = 

BS * vt ke. mis J a 2 “a : 4 Ay. I ‘ rity { as 7 I Rt a a 

a, o “ EA 7 net 4 Phe AP" pat gore oe = " ia a 
pew 1,28 7 - 






t4 q7 
‘hatin 


i” Te 7 Te. = Lore : J er 

a ud an Fac \. Sa rag Ege ab rests uy hay |, - f:=/ = L bk: 7 ce 

a _ < im *. : - * aptlimitas 4 “i 

. yal Poe i ae pee te ie ae tk ie ee 
Lat Lay | a ve oe t bok Sa re”, | eRe Mee fe Oe ee og fl 
feng: Basen! Maca Ue ee, RAG : “end acd Pate tin: ae a, 
is ae | doled : i 

7 : t 





- ri , - 
Bo va peu ee ae sek ciclens mp0 


iS io ed 2 ee ae So ee TS biciahertet ie gS ee i a 


Example 12.8 
7 
Let p =7 andk = 3. Then 4 = 35, 
To find out into which binary sequence of length 7 and weight 3 the integer M = 19 will be mapped, we 


follow the algorithm below, which makes use of the Mathematica functions Table, If, Do, and 
Binomial. 
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Se he > oe weaeel 5 Ti i ae 

Py ee oh : ok Lak eee ae J > 5 tl a 

oe ee ith Tp he a ao —— nag in a er See 

SS. 4 “" , wa ’ a bey “ en Oe ¥ 
gat errs Set eee 
es Ba im ca, mp, Oy \ Tacs . h = 


— 
1 "| 
| wry 
m io 
| 
i it om 
be 





a Decryption 


Bob receives c, which is in fact c= ( pl m; b; mod qs) by (12.14). He computes C=c—-—k.Dpg 
with his secret Dg (see (12.12)). 


Next, Bob computes a. Now note that in GF(q): 


- =I 
a© = of kPB = gE mi bi)-kDg 212) LE) mi Bgiy+Dp)-k.Dg 


1213) 5P hm, Bai = Ty) (eBay CSP TPP xt ay, 
This means that 
a® = J) +20) (mod f(x). 


i=l 


Next, we add a suitable multiple of f(x) to @© to make its polynomial representation monic. So, 
for some B € GF(q): a(x) = a© + B.f(x)is monic. 


Since also []2j' (x + 2(i)) is monic, the above in fact implies that 
a(x) = [TZ w+ ay. 
It follows that m; = 1,0 <i < p-—1, if and only if —2(%) is a zero of a(x). 


We summarize the decryption process in the following algorithm. 


tee 





Example 12.7 (Part 3) 
We continue with Example 12.7. Assume that Bob receives the ciphertext c = 264. 


Bob's secret parameters are k =3, D = 244, 7 ={6, 3, 7, 4, 5,2, 1}, f() =4 4x 42x +x3and 
2=3+4x45x. 


Bob subtracts k.D from c, 
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Next he raises a to the power C. To write this as a polynomial we use the function 


Element ToPolynomial. 





Lg ae ry ee a 
Z+x+3x"* | ww 7 i est af apr ke: aeaeeete. 


Next, Bob has to add f(x) to get the monic polynomial a(x). We use the function 
PolynomialMod. 





6+2x+ 5x! ax? 


We factor this by means of the function Factor. 


—— == 





U2 ex) Asx) (6 rm) 


The inverse permutation of # can be computed with InversePermutation (in the package 
DiscreteMath ‘Combinatorica ‘ that we have already loaded) 






, = F aT — To eee | 
i =H E ect a ei - Sa ~ hm oe 
i ie Rae ee = © r ris yaa 
i a 4 : 


AT, 6, 2, 4565. 1;,;3} 20°) 


We subtract 1 from these elements because 7 acts on {0, 1, ..., 6} instead of {1, 2, ..., 7}. We get 





From this we see that the numbers 2, 4, and 6 are mapped to 1,4, and 2 under a. In other 
words, a maps 1, 2, and 4 to 2, 4, resp. 6. 
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We conclude that the message vector has ones on the coordinates 1, 2, and 4 (and thus zeros on 
the coordinates 0, 3, 5, and 6), i.e. the message vector is given by {mj}°_o ={0, 1, 1, 0, 1, 0, 0). 


This is indeed equal to the value that was chosen during encryption. 


12.4 Problems 


Problem 12.1 
Solve the knapsack problem if the elements are given by 333, 41,4, 172, 19, 3, 80, and 11 and if the total 
size of the knapsack equals 227. 


Problem 12.2 
Solve the knapsack problem if the elements are given by 31, 32, 46, 51 63, 72 and 87 and if the total size of 
the knapsack equals 227. 


Problem 12.3” 

A knapsack cryptosystem has the numbers 381, 424, 2313, 2527, 2535, 3832, 3879, and 4169 as public 
key. They are obtained by multiplying the elements of a super-increasing sequence by W = 4673 and 
reducing the result modulo 5011. 

Decrypt message 11678. 


Problem 12.4 

Let Pp, P2, -»»» Pn be a sequence of different prime numbers and let P be their product. The numbers aq;, 
1 sin, are defined by a, = P/ pj. 

Let S = 3)", x;.a;, where each element x, is either 0 or 1. 


Give a simple algorithm to recover the numbers x;, 1 <isn,from S. 


Problem 12.5” 

Let C=5738 be the ciphertext obtained through a knapsack encryption § with {uj}, 
= {437, 1654, 1311, 625, 1250, 1720, 663, 1420, 63, 319) as public knapsack. 

Apply the L?-attack to find the plaintext. 


Problem 12.6 
Which integer will be mapped to the binary vector (1, 1,0, 1, 1,0, 1,0, 1, 1) by Algorithm 12.5? 


Problem 12.7” 
Work out a complete Chor-Rivest cryptosystem example (including encryption and decryption) for the 
parameters p = 11, k = 2. 


13 Hash Codes & Authentication Techniques 


13.1 Introduction 


In Section 1.1 we mentioned confidentiality (privacy) as the first reason why people use 
cryptosystem. Of course, this goal is very important and it does lead to interesting mathematical 
issues, but for the vast majority of data secrecy is not the user's prime concern. 


Authentication and integrity on the other hand are almost always essential. Think, for instance, of 
receivers of data files, E-mail messages, fax, etc. Violation of the confidentiality does (in general) 
little harm, but significant damage may be done if somebody else is able to tamper with data files. 


When studying authentication schemes one needs to distinguish between the following goals: 
1) Does one want unconditional security or just computational security? 

1) Do the various parties trust each other or not? 

111) Is there a mutually trusted third party? 

iv) Are the data files typically very long or just short? 

Vv) Is confidentiality also an issue? 


V1) Is the system intended for multiple use or just for single use? 


The first two distinctions especially, have lead to completely different research areas. The main 
topic of Section 13.3 will be authentication schemes with unconditional security. This means that 
even with unlimited computing power the opponent can not break the system.These schemes are 
usually called authentication codes and a particular subclass of them is called A-codes. 


Computationally secure systems are based on mathematical assumptions like the infeasibility of 
factoring large numbers or of taking discrete logarithms. These methods are called digital 
signature schemes and have already been discussed in Sections 8.1.2, 8.2.1, 8.2.2, and 9.1.4. 


If a file is very long and confidentiality is not an issue a very common technique to add proof of 
authenticity and/or integrity to it, is to send itjust like it 1s and then add a relatively short sequence 
of bits (e.g. 100-200) that depend in an intricate way on all the bits in the original message. This 
tail should be proof that the message indeed came from the assumed sender and that its contents 
have not been changed. 


The standard way to realize this is to hash the file in a cryptographically secure way into a short 
sequence and compute a signature on this hash value. It is the signature of the hash value that is 
appended to the original file. If an authentication scheme is slow in its implementations (as is the 
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case with digital signature schemes), this two-step approach may make them very practical. 


In many applications, the hash function also makes use of a secret key that sender and receiver 
share. These systems, which are called Message Authentication Codes (MAC's) are not 
unconditionally secure, because somebody with unlimited computing power can, in principle, try 
out all keys. 


Hash functions and MAC's are the topic of Section 13.2. 


13.2 Hash Functions and MAC's 


We do not intend to give a formal description of various types of hash codes. For our purposes, a 
global understanding of these codes and their properties suffices. 


A hash function (or hash code) is a mapping h from A*,the set of all sequences of symbols from 
an alphabet A, to A”, where m is some fixed positive integer. So, each sequence over A (of 
arbitrary length) will be mapped to a sequence over A of length m. In typical applications 
A = {0, 1} and the value of m ranges somewhere between 64 and 256. 


Since one normally wants very fast implementations of hash functions h, we also require that it 1s 
easy to evaluate the hash value for any sequence over A. 


To make a hash function cryptographically secure, one often requires one or more of the following 
properties to hold. 


H1: = The hash function h/ is a one-way function (see Section 7.1.2), i.e. for almost all outputs b 
it is computationally infeasible to find an input a € A* such that b = h(a). 


H2: ~The hash function h is weak collision resistant. This means that for a given value of a it is 
computationally infeasible to find a second value a' € A*, a #a‘,such that h(a) = h(a’). 


H3: The hash function h is strong collision resistant This means that it is computationally 
infeasible to find a pair of values a, a' € A*, a # a',such that h(a) = h(a’). 


The implications of these requirements may be clear to the reader. For instance, H2 implies that if 
the hash values h(a) of a file a is protected by a digital signature, one can not replace it by another 
file a’ with the same hash value, simply because it is infeasible to find such an a’. 


Property H3 is even much stronger and makes it possible to convince a judge that the system has 
been compromised. 


Example 13.1 


Consider m = 1 and A = £,. To hash a = (ap, aj, ..., a) one simply takes b =(X),a;mod n). This hash 
value depends on all symbols in a and is easy to compute, but it does not meet any of the requirements H1I- 
3. 
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Example 13.2 


Consider again m= 1 and A = Z,. To hash a = (ao, aj, ..., aj) one computes b = (gai) mod n). If n 
is a large composite number, property H1 will hold, because taking square roots modulo such an integer n 
is considered to be infeasible (see Theorem 9.18). 


With the Mathematica functions Mod and Length this hash function can be easily evaluated. 





Properties H2 and H3 are not met, because —a will have the same hash value as a. Also, when one 
coordinate is increased and the next one decreased by the same amount, the hash value remains 
the same. 





eee te cee nt + ee eS 
h St a. z ; he it tat — ei.) 2 
Fees ae eee: ce 


wt ee 7 











Even if a hash function meets properties H)-H3, it is still possible to intercept a transmission 
(a, h(a)) and replace it with another file (a', h(a')). For this reason, one sometimes wants to 
introduce a secret key, shared by sender and receiver. The hash function h will now be called a 
message authentication code (MAC) and is a function of A* x K to A”, where K is the key space, 
just as in conventional cryptosystems. 


Example 13.3 


Let m = 64 and A = £2). With DES;(u) we denote a DES encryption of a block u of length under key k . 
Assume that k is the key that Alice and Bob share. 


Now, consider a binary file {a}, a2, ..., aj} of length | that Alice is going to send to Bob. Alice first pads it 
with sufficient zeros to make the length a multiple of 64. Let L be this new length. To compute the hash 
value on {aj}, a2, ..., ay} Alice follows the following algorithm: 
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ery 
| Algorithm 13.1 Using DES as Message Authentication Code 





input binary string {a@), a2, .... a¢), padded to make 64 | L. 
fa 


initialize Ah = {0, i 0) 
for i = 0 to (L/64) — 1 do A = DESy(h ® [asa int, Oeaie2, --. Goairnal) 
output hash value A 


The receiver duplicates the above calculations to verify that the file has not been changed and was 


indeed sent by Alice. 


Ofcourse, we could have used any other block cipher instead of DES in this example. 


It is also possible to use a block cipher as a keyless hash function. To this end one also makes the 
key a public parameter. 


The implicit assumption when using a block cipher for authentication purposes is that for a fixed 
key it behaves as a random permutation on the input set. Also, one hopes that the block cipher is 
cryptographically secure. In the next section, authentication codes will be discussed that are not 
based on any mathematical assumption. 


There are many different standards for hash functions. The reader is referred to [MeOoV97] and 
[Schn96]. 


13.3. Unconditionally Secure Authentication Codes 


13.3.1 Notions and Bounds 


No authentication scheme can give an absolute guarantee that an accepted message comes from a 
particular user, say Alice. For instance, there is always a small probability that a (randomly or 
otherwise) generated sequence could have been made by Alice, but in fact was not. It will then be 
accepted by others as a genuine document from Alice. 


It follows that it is necessary to define and compute the probability of a successful fraud. However, 
in such computations there is an essential difference between assuming the computational security 
of certain problems (as we do in public key cryptosystems), or not making any further assumptions 
at all (unconditional security). This last situation will be the topic of this section. 


We shall assume that Alice and Bob trust each other and have agreed upon a secret key. This 
assumption is not really necessary, but then the notion of a trusted third party (like an arbitrator) 
must be introduced. 


Let us start with a simple example. 
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Example 13.4 


Alice wants to send a single bit ofinformation (a yes or a no) to Bob by means of a word oflength 2. Alice 
and Bob have 4 possible keys available. Alice and Bob make use of the following matrix: 


[eey\sent [00 [OT [TOT TT 





Authentication Code for two messages. 


Table 13.1 
So, message I will be sent as word I1 under the third key. 


The probability that somebody else can successfully impersonate Alice is 1/2, because only two of 
the four words in {00, OI, 10, 11} are possible as transmitted word under the joint secret key of 
Alice and Bob. 


An opponent Eve who tries to replace a transmitted message by another one will know that only 
two keys can possibly have been used, but she does not know which one. So, the probability of a 
successful substitution is also 1/2. For instance, if Eve intercepts Ol, she knows that either 
message I was sent ( under key 1) or message 0 was sent (under key 3). In the first case, she needs 
to transmit 00 and in the second case it should be 11, therefore, she succeeds with probability 1/2. 


The above scheme even gives secrecy, because every transmitted word can come from message O 
or from message I (both with probability 1/2). 


The general definition of an authentication code (we deviate here from the standard notation in the 
theory of authentication codes in order to avoid confusion with the standard notation in the theory 
of error-correcting codes) is as follows: 


Definition 13.1 
An authentication code is a triple (M,‘K, C) and a mapping f : A(x‘K + C such that 
| for all mt, mt’ € M and for all & eK 


iim) = fin") = m= rm’. . (3.1) 


The set Adis called the message set, ‘K the key set, and C the codeword set. 


An authentication code can be depicted by a table U with the rows indexed by the keys k in K,the 
columns indexed by the codewords c in C and entry (k, c) in U given by mif anme€ M exists such 
that f,(m) =c (such an m is unique by (13.1)) and by a hyphen if such an m does not exist. We 
shall call this table the authentication matrix of the code. 
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In Example 13.4 above, M = {0, 1}, K = {1, 2, 3, 4}and C = {00, 01, 10, 11}.The authentication 
matrix of this code is given by Table 13.1. 


Condition (13.1) implies that f; 1s an injective mapping for each possible key. 


When Bob receives codeword c € C from Alice, he will accept it as a signed version of message 
me M, where m is uniquely determined by f,(m) = c. Here k is the key that Alice and Bob have 
agreed upon. To make the system practical, f, should be easily invertible for each key. To this end, 
fx (and C) will often have a much simpler structure. 


Definition 13.2 

An A-code is a triple (A4, ‘X, 7°) and a mapping g: ATx'K - 7. 

Given key ke‘K, message m € M will be transmitted as (rm, ), where f= gy(m) is 
called the authenticator of m. 


By taking f,(m) =(m, g,(m)) and C= Mx7T we see that an A-code is a special case of an 
authentication code. 


A good authentication code is designed in such a way that fraudulent words ¢ are spread evenly 
over C, while the subset of words that the legitimate receiver expects, knowing the common key 
k EK, is only a fraction of this set. 


Thus the aim of an authentication code is that not only Bob, but also an arbitrator, can check the 
authenticity of a properly made c (in the case of an A-code by verifying that g;,(m) = ¢, in the case 
of a general authentication code by checking that c is in the image space of fx), but an 
impersonator who does not know the key has only a small probability of getting a word c accepted. 
An attack by an impersonator is called an impersonation attack. 


The same should be true if the enemy wants to replace a genuine codeword c (made with the 
proper key) by another one, say ¢, that represents a different message. This kind of attack is called 
a substitution attack. Note that in this case, some information on the key is available to the 
opponent. We shall not discuss systems in which the same key can be safely used more than once 
by the legitimate users. 


In the following definitions we shall assume that keys will be chosen from ‘KK with a uniform 
distribution and that messages will be chosen from M with a uniform distribution. 


Let us assume that a general authentication code is being used by Alice and Bob. To maximize the 
probability of a successful impersonation, the opponent can do no better than select and send a 
codeword c € C that will have the highest probability of being accepted by the legitimate receiver. 
This is the case if for the maximum number of keys k € K the codeword c will be in the image 
space of fy. 


Another way of saying this is that one looks for the column in the authentication matrix that has 
the maximum number of non-hyphen entries. The column index c of that column will be sent. 
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Definition 13.3 
The probability P; is the maximum probability of a successful impersonation attack, ie. 


| Py = Max BESO (13.2) 


In Example 13.4, each codeword is the image of a message under exactly two of the four keys 
(each column counts two non-hyphens). So, P; = 2/4 = 1/2. 


In case of a substitution attack one has intercepted a codeword c €C. This restricts the possible 
keys that may have been used by sender and receiver to {k € K|c € f,(M)}.The best attack for 
the opponent is to search among those codewords that are possible with these keys for the one that 
occurs the most often. 


A different way of saying this is that in the authentication matrix of the code one looks at the 
column under the intercepted c and removes all rows from the matrix that have a hyphen in that 
column (these rows are indexed by a key that can not have been used). Also delete the column 
indexed by c. Among the remaining columns one looks for the one with the largest number of non- 
hyphen entries. The column index c' of that column will be substituted for c. 


Definition 13.4 
| The probability Ps is the maximum probability of a successful substitution attack, i.c. 





(13.3) 





In Example 13.4, each codeword is the image of a message under exactly two of the four keys. For 
each of these two keys, the other possible message will be mapped to a distinct codeword. So, 
Ps = 1/2. 


The maximum of the two probabilities in (13.2) and (13.3) is often called the probability of 
successful deception. In formula 


Pp = max {P;, Ps}. (13.4) 


Since an authentication function f; is injective for each k € K, it follows that exactly |M| 
codewords must be authentic for any given key. In other words, it follows that each row of the 
authentication matrix U of an authentication code has exactly | M|non-hyphen entries. Since U 
has |*# | rows and |C| columns it follows that the average number of non-hyphen entries over the 
columns of U is |K| x |M]|/|C|. So, the maximum fraction of non-hyphen entries per column 
is atleast | M]|/]|C |. This proves the following theorem. 


294 FUNDAMENTALS OF CRYPTOLOGY 


Theorem 13.2 
The maximum probability P; of a successful impersonation in an authentication scheme 
for (M, ‘, C) satisfies 


P; > e 
Similarly, in the case of the substitution attack the restriction of the authentication matrix U to the 
rows where an intercepted codeword c has non-hyphen entries consists of |{k E@€K|ce f,(M)} | 
rows, each with | M|-1 non-hyphen entries. After deleting the column indexed by c, this 
restriction has |C@|-—1 columns. So, the average value of the relative frequency of non-hyphen 
entries in this restriction of Uis (| M|-1)/(|C|-1).This proves the following bound. 


Theorem 13.3 
The maximum probability Ps of a successful substitution in an authentication scheme 


for (AT ‘kK, C) satisfies 


Pp. = “" 


If the messages and keys are not uniformly distributed over the message space and key space, it is 
still possible to derive lowerbounds on P;, Ps,and Pp.In these lowerbounds, functions appear 
that we have discussed in Chapter 5. For the proofs of the next two theorems, we refer the 
interested reader to [Joha94b]. 


Theorem 13.4 

| Let M, KE, and € denote random variables. defined on M1, 'K, and C, related by a function 
f:MxK+C, satisfying (13.1). Further, let A(X |¥) and /(X; ¥) denote the 
conditional entropy function resp. the mutual information function. ‘Then 


P,= aN) (13.5) 
Pe = 2-HUMC), (13.6) 
ee 

p= (13.7) 


The bound in (13.7) is called the square root bound. Authentication codes meeting this bound are 
called perfect. 


Theorem 13.5 
A necessary condition for an authentication code to be perfect is that 


| M| =v |K] +1. 
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For further reading on authentication codes, we refer the reader to [GiIMW74], [MeOoV97], 
[Schn96], and [Simm9?]. 


13.3.2 The Projective Plane Construction 


In [GiIMW74] one can find a nice description of a perfect authentication scheme. We first need to 
describe what a projective plane is, before we can explain this construction 


oO A Finite Projective Plane 


A projective plane is a kind of geometric object that differs somewhat from planes in regular 
Euclidean geometry. It is defined in a formal way by a set of axioms, that among others does not 
allow for parallel lines! After the definition we shall give a construction of these projective planes 


that will explain the name "projective". 


We start with a finite set P, whose elements are called points. Further, £ is a collection of subsets 
f cP, called lines. We shall say that a point P "lies" on a line f, if Pe #. Also, two lines may 
"intersect" in a point, etc., so, we adopt all the regular terminology from geometry. To avoid 
trivialities, we shall assume that all lines contain at least two points ((f € £)=>(|f| 2 2)). 


Definition 13.5 
The pair (¥, £) is called a finite projective plane if the following axioms hold: 


PP-1; There are at least four points, no three of which lie on the same line. 
PP-2: For every pair of points there is a unique line going through them. 
PP-3: Every pair of lines intersect in a unique point. 


Property PP-1 is there to avoid the following object in our considerations. All lines have 
cardinality two and go through the same point (depicted below) except for one line which goes 
through the remaining points 
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Let (¥, £) be a projective plane. Then there exists a constant a, called the onder of the 
plane, such that: 


| PP-4 Every line contains exactly n + 1 points. 
PP-5 Every point lies on exactly n+ 1 lines. 
| PP [FP )= |f£l)=n +n+1. 





Proof: 
Proof of PP-4: Every line contains exactly n + I points. 


Our first step 1s to show the claim that each point in F lies on at least three different lines. Let us 
start with four points P, Q, R, and S no three of which are colinear (see PP-1). For each of these 
points, any of the other three defines a unique line through them by PP-2. For a point 7 not on any 
of the lines going through two of the points P, Q, R, and S, the claim 1s also trivial (each of these 
four points defines a unique line through 7). We leave it as an exercise to the reader to prove the 
claim for a point that is on one of the six lines going through two of the points P, Q, R, and S. 


Now, consider an arbitrary point P. We know that at least three lines go through it. Let Q be a 
point on one of these lines, say on line f. We shall show that all the other lines through P have the 
same cardinality. To this end, let Ag = P, Aj, Az, ..., A», be the points on line m through P (where 
m#f) and let Bo = P, B,, Bo, ..., B, be the points on line n through P (where n # f, n#m). We 
need to show that m =n. 





For each 0 <1? < m there is a unique line through Q and A; by PP-2. By PP-3 this line will intersect 
nin a point, say Bj). This is a one-to-one mapping, because a line through Qand B,,j)can not 
intersect m in two points (by PP-3). We conclude that m > mn. By interchanging the role of m and n 
we may conclude that m = n. 


So, all the lines through P, except possibly for the line that also meets Q, have the same cardinality 
n+ 1. Byputting Q on one of the other lines through P, say n, and repeating the above argument, 
we may conclude that all lines through P have cardinality n+ 1. 
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Let U be another point. For exactly the same reason as above, all the lines through U have the 
same cardinality, say u +1. However one of these lines also goes through P by PP-2. It follows 
that u =n. 


Proof of PP-5: Every point lies on exactly n + | lines. 


Consider a point P and a line m not through P. Let the points on m be numbered 
M,, Mo, ..., Mn+1. Each point M; on m together with P defines a unique line passing through them 
(property PP-2). These lines are all different by the uniqueness property in PP-2. On the other 
hand, every line through P must intersect m in a unique point. We conclude that + 1 lines pass 
through P. 


Proof of PP-6: |P|= | LJ =n? +n4+1. 


Consider a point P. There are » + 1 lines through P, each containing n other points. This gives rise 
to 1 +(#+ 1)n points. There are no other points in ? by PP-2. 


Similarly, consider aline f. There are n + 1 points on it, each being on n other lines. This gives rise 
to 1 +(n+1)# lines. There are no other lines in £ by PP-3. (Notice the symmetry between points 
and lines in Definition 13.5.) 


Example 13.5 


Take n=2. Then |#| = |L£ | = 7. Each line contains three points and each point lies on three lines. This 
projective plane is depicted in the following figure. 





The 7 lines in this figure are the three outer edges, the three bisectors and the circle in the middle. 
So, £ consists of the following seven lines: 

f) ={P;, P2, P3\, 4 ={P1, Ps, Ps}, 

f; ={P;, Po, P7}, fy ={P2, Ps, Po}, 


4s ={P>, Ps, P7}, fy ={P3, Ps, P7}, 
fy ={P3, Ps, Po}. 


The projective plane of order 2 is unique and is called the Fano plane. 
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A projective plane is often described by means of its incidence matrix. This the matrix A of which 
the rows are indexed by the lines f € £, the columns by the points P € Pand where 


] if Pon?, 


Apr= 
ad ‘9 otherwise. 


The incidence matrix of the Fano plane (with the labeling given in the figure above) is 





ForFeocrHoa 
FPooFrPrHoo 





mm ee ee eS 


The properties in Definition 13.5 and Theorem 13.6 can be directly translated into the following 
matrix requirements. 

PP-2 Every two different columns of A have inner product 1. 

PP-3 Every two different rows of A have inner product 1. 

PP-4 Every row of A has n + 1 ones. 


PP-5 Every column of A has n + I ones. 
PP-6 Matrix A has n?2 +n + 1 rows and columns. 


These properties can be summarized in the formula 
AAT =Al A=nI1+J. (13.8) 


where J is the all-one matrix of size (n* +n+1)x(n*+n+1) and / the identity matrix (of the 
same size). 


For the example above we can check this with the Mathematica functions Transpo se and 


MatrixForm. 


—r = a = — ee = = = Se a = 


MatrixForm[A.Transpose([A] |] 


MatrixForm|[Transpose/[A].A] 





a a a a ee 
PRP Pe Bw 
ee ee 
ee ee 
a a ee ee 
Pw ee ee 
ee 
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Sf ee fe pe pe ol 
PRPRPrPPR Ww 
PRR ew ee 
ft pt 
ee ee ee 
PPP P He 


a 
ee ee 


-_ = - La 


Oo A General Construction of a Projective Plane 


There is a general construction of projective planes of order g, where q is a prime power. There are 
other constructions of projective planes, but they all have an order that is a prime power. It has 
been shown that no projective plane exists of order 6 and 10. 


Let V(3, g) denote a 3-dimensional vectorspace over GF (q), the finite field of g elements. Its 
elements are vectors @ = (a), a2, a3) with a; in GF(g). The cardinality of V(3, q)is q°. Let 
Q = (0, 0, 0). 


Each line through Q can be described by a non-zero vector a: 


{Ag| A € GF(q)}. (13.9) 


Of course, non-zero scalar multiples of @ will give rise to the same line in V(3, q). So, there are 
(¢* -1)/(¢-1) =q? +q+ 1 different lines through 0. 


Similarly, a plane through Qin V(3, g) can be described by a non-zero vector 4: 
{(a), a2, a3) € V(3, gq) | a) uy + a2 U2 + a3 3 = O}. (13.10) 


Again, non-zero scalar multiples of uw will give rise to the same plane in V(3, q), therefore, there 
are (¢? ~ 1)/(q- 1) = q° +q+1 different planes through Q. A different way to describe a plane 
through Q is (Aa + wb | A € GF(q), up € GF(q)}. 


Each non-zero point on a plane through Q defines a line through Q. As before, non-zero scalar 
multiples of this point define the same line. We conclude that there are (g?-1)/(¢-1) =q+1 
lines (through Q) on a plane (through Q). 


Each line {Ag|A € GF(g)} can be embedded in a plane {Aa+pb|A © GF(q), wp € GF(q)} by 
selecting any of the g* —g points not on the line. Of course, not all these planes are different. A 

particular plane containing {Aa@|A © GF(qg)} can be obtained by any of the q? — g points in the plane 
not on the line. It follows that each line (through Q) lies on exactly (g* — g)/(q7 - 4) =4q + Iplanes 

(through Q). 


Theorem 13.7 
Let ? be the set of lines through 0 in V(3, g), where g is prime power, and let £ be the 
set of planes through Q in V(3, g). Then (7, £) is a projective plane of order gq. 
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Remark 1: 


It is easy to get confused here. The projective points correspond to lines in V(3, g)(through 0) and 
the projective lines correspond to planes in V(3, q) (through 0). 


Remark 2: 
Note that we have already verified the properties PP-4, PP5, and PP-6 mentioned in Theorem 13.6. 


Proof: 
Proof of PP-1: 


The four lines through Q and each of the points (1,0, 0), resp. (0, 1, 0), (0, 0, 1), (1, 1, 1) define 
four projective points in ?, no three of which lie on a projective line. The reason is that no three of 
these four points in V(3, qg) lie on the same plane through Q 


+ 
— 


Proof of PP-2: 


Let P and @Q be two different projective points, and let them be defined by the lines 
{Ag |A © GF(q)} and {Ab|A € GF(q)} in V(3, qg). There is exactly one plane containing these two 
lines, namely {Ag+ pub|A © GF(q), uw © GF(g)}. This plane defines the unique projective line 
through P and Q. 


Proof of PP-3: 


Let f and m be two different projective lines. They correspond to two planes in V(3, g) through Q. 
The line of intersection of these two planes is a line through Q,which defines the unique projective 
point on both f and m. 


C) 


There are different techniques of generating a set of g* +q+ 1 non-zero points in V(3, qg)that will 
give rise to different lines and planes through Q in V(3,q) (see (13.9) and (13.10)), Le. to 
q* +q+1 different projective points and projective planes. 


A nice way, as we shall see in the following example, is to take a primitive element in GF(q°),say 
w, represent it as vector in V(3, g), and take as points the elements 1, w, ..., wt 4, Indeed, let 
a = w-YG-)) = w*4*+!_ Since w has order gq? — 1, it follows that a@ has order g—1. It also 
follows that {0, 1, a, ...,@977} = GF(g) (see Theorem B.29 and the Remark at the end of 
Subsection B.4.6). This means that for each 1 < j<q-—2 the points wi! and wit -IMG-) in 
V(3, q) give rise to the same projective point and thus we only have to consider 1, w, ..., wt +9, 


Example 13.6 


Take q = 3. To find a primitive polynomial of degree 3 over GF(3), we first have to load the Mathematica 
package Algebra ' FiniteFields' After that we can apply the function FieldIrreducible. 
<< Algebra FiniteFields* 


— ees ot hee sree Pe 
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ee aa ope ig eile Ae: : ae i", = + ae" hae 1 a was SAM 5 ey x i cr es tay yy ty en: as Hig d Fw | fr. e ae : a < 


} | Pape ie Pas Beg 4 J ms = 1 ales Pepe / pe *t ieee pera. 
“ 1e2 2x baie oR Bye 2 eee 72, eee Sie SARE eee: Ther. 
oleae OE Saas fae ns i 4 te eee fi Ae es mi te 5 F 

view Cotes: Se aes ad eae ee ee aa a eee a 


So, GF(3%) can be described by the set of ternary polynomials modulo f(x) =x° +2.x° +1.Let 
w € GF(3?) be a zero of f(x). Since f(x) is a primitive polynomial, itfollows that w has order 26. 
This can be checked with 





(0, aS. lioks ase aw ‘hi Sages 


Loa a 5 ' ? z i= _* bs 
tet cir =. he Be 4 f en i hy i Peer! A’ Ma, _ - G8 bs, [pees 


wa 

== ba Ll Fis Ft x Fa Li= 2 Vary ae i ee oP Sea a (ee ee ee —aay i he, 

s : ’ ! : 7 : le oa ae ' 7 ore 

- i ‘ & y L. J Pr pes * - ou ; a 

“i i" - . a ae bs tt, . i i = i, e } 2 a ee a Je) 
ac “ 0) va Se): a hg per Dea Ewe ee ieee cae 

=e ’ : = J ’ ’ ¥ a 3 i 
F 4 br 4 = Ms . tpt a rs Lig? a 


The element @ = a ~!!@-) js w!3 =2in this case. Indeed, {0, 1, 2} = GF(3). 


So, the 3? +3 +1 =13 projective points can be found by computing a, 0 <i < 13. In this 
example, we take the equivalent set 1 <i < 13 to keep the output uniform in appearance. 





{O, 1, O}, 
{O, 0, 1l}y 
{2, 0, l}y 
{2, 2, 1}, 
{2, 2, O}, 
{O, 2, 2}, 
{1, 0, 1}, 


ia, 3, 1} 
{2, 2, 2}, 
{1, 2, 1}; 
{2, 1, O}, 
{O, 2, 1} 
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{2, 0; 0}; 


To check if a projective point a =(aj, a2, a3) lies on the projective line defined by 
w! =(u}, Uo, U3) (see (13.10)), we need to check if ay; uy +@2 U2 +a3 U3 =0.In Mathematica this 
can be done as follows (the [[1]] removes the subscript in the presented output). 





(2, 2, 0} 


{, 2,1} 
False 


So, we are now ready to generate the projective plane of order 3. We present it by means of its 
incidence matrix. 








ope 0 08 01s 8 oe 0 OE 1) 

}1 0 0.0.1 -0:.0.050 0.1.0.1 

120) 00020" f-051>1°0-0 0) 
Tee 2 ge Oa ee ea 

-O*T 0 0-09 0-0" 1° 051 1-0-0 

oh 0 2 eo Oe Oo 1 Ot ea 
2) Be Pg F020 102 0-0 : 
oy OSD SO 1 Ot 1) 02.0 Teo) si 
ee a OOO Od” OF Pp pe 
Ps te Te Of 2 OO es 

PO 82210 O80 020 0 

OOO Ob O51 lo O-O..1 

41 1:0 60160 000 601 0) 


We can check the properties PP-2, PP3 and PP4, PP5 by computing (see (13.8)) 
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Pog aa ag a a 
dk Ed ee ee 
2k eee bbe 8 ee eat 1" 
PUL Sw ae peg 4 
RS eae ee be 1 eee De atk 
Lee hee ea ee a 
Re ee a ae a A SS ees de 
elit. Sal Se te a 2 
Lee aha ie ek bites ol... 1 
etd a ed ea. a 
Le eS ee ded ee DP eae 4 
et sk 2s: bo Bebe bei isl: 


O The Projective Plane Authentication Code 


Definition 13.6 
Let (PF, £) denote a projective plane. Let f be one of the projective lines. 
The corresponding authentication code (A4,%,C) is defined by Me=y¥, 
K=PMP| Font}, C = £\(¢} and the mapping 
fe(@) is the unique line ¢ through P and Q, Pek, @ <M. 


In words, the message set M consists of the points on f,the key space ‘consists of all points not 
on f, the code set C consists of all lines in £, except for f itself. 


Finding the message back from the received codeword c 1s quite easy. Just intersect c = fp(Q) with 
f. Their intersection point is the message. 


That the above scheme defines an authentication code is easy to check. Its parameters are given in 
the following theorem. 


Theorem 13.8 
The A-code defined by a projective plane of order nm has parameters 


| AdJan4+1, (Kl sn, |Clan* +a. 
The probabilities of success for the impersonation and substitution attack are given by 


Pr=Pp = =, 





The reader may want to check the above theorem on the Fano plane below. The four points not on 
f form the key space K, the three points on f the message space M, and the other six lines the 
codeword set C. 
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Proof of Theorem 13.8: 


The parameters in this theorem follow directly from Theorem 13.6. 


To compute P;, we observe that an opponent can do no better than to select as a codeword a line c 
(c#f) that contains as many points outside f (these are the possible keys) as possible. However, this 
number of points outside ¢ is independent of the choice of c. It is n by PP-4. So, by (13.2), 


Pee oS ee 
Pr Ki mR 


Similarly, if the opponent has observed codeword c (not equal to f), there are still n keys (points on 
c but not on f) possible. Let P be the intersection of c with ¢.To replace it with another message 
(point Q on f) the opponent can do no better than select a line dthrough such a point Qwith as 


many points on c as possible. But by PP-2 this number is 1, independent of the choice of c and d, 
namely the unique point of intersection of c and d. So, by (13.3), 


! 
Ps = =, 


fh 


2 


The authentication codes coming from projective planes, are perfect because P;, Ps, and Pp are all 
1/n, which is equal to L/v \K|. 
Moreover, |M|=n+1=v]|K]|+1, so, Theorem 13.5, tells us that the message set 1s of 


maximal size given this key set. 


A construction of authentication codes by means of shift register sequences can be found in 
[Joha94a]. Its implementation is simpler than the projective plane construction above. For large 
message sets, e.g. data files, the codes discussed in Section 13.3.4 may be more practical. 


Hash Codes & Authentication Techniques 305 


13.3.3 A-Codes From Orthogonal Arrays 





Note that the above implies that each symbol occurs exactly A.n times in each row. 


Example 13.7 (Part 1) 
An example ofan OA(4, 5, 1) is given by 





Proof: The parameters of this A-code follow from those of U. 


The chance that an impersonation attack succeeds is |/n, because each symbol occurs equally 
often in a row of U. 


The probability of a successful substitution attack 1s also 1/n. The reason is that each intercepted 
authenticator occurs A with each possible symbol, no matter which message was intercepted and 
which message one wants it to be replaced with. 


Example 13.7 (Part 2) 


For instance, in the matrix U defined above, message 4 under key 13 will be authenticated by 
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When, message 4 is intercepted with authenticator I, one knows that the key is among 
{2, 8, 11, 13}. Mathematica can find these positions with the functions Flatten and Position. 





Bel Wei, dsl hoe ee 


Each other row has all four symbols on these four locations. This can be checked with the 
functions MatrixForm and Transpose. The |[1]] below gives the restriction of the matrix to 
the rows indexed by the elements of the list lL. 





There is a great deal of literature on orthogonal arrays. See [Hall67] or [BeJL86] for constructions, 
bounds and existence results. For instance, it is known that an OA(q, g + 1, })exist for all prime 
powers g, because orthogonal arrays with these parameters exist if and only if projective planes of 
order g exist (see Theorem. 13.7 for a construction of a projective plane of order gq). 


Below we give a sketch of the proof of this result. 


Let (P, £) be a projective plane of order g. Pick any of the lines f in £. Number the points on f by 
P|, Po, ..., Pg41 and the other points by Qi, Q2, ..., Q,2. 


Let £;, 1 s i <q+1, be the collection of all lines through P; except for ¢ itself. By PP-5, each £; 
has cardinality g. Number the lines in each £;from | to gq. 


Define U;;, 1 sisq+l,lsjs g*, as k, where k, 1 sk <q, is the index of the unique line in L; 
that meets Q; (which is the unique line in £ through P; and Q;). Then U is an OA(q, q + 1, 1). 
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Example 13.8 


Consider the incidence matrix A of the projective plane oforder 3 in Example 13.6. 


| 


o1L11iooo1l0000 01 
1oo0o02000002101 
1ooaogo1oiidsna 
00 6 20°12 00600610 0 
O10 0 060600 010 11 0 0 
oo00 2000001601 1] 
Az=/l1 0121000120000 0} 
oo 0010110001 0] 
6:0 1:0°0 6.0 °0 1.0 1 19 
0.6 16-1 1:0 0-0 1°60 °0 
0.1,.60:4°1°0 0°09 1°00 0-0 
0.000 0.-1)051 1/0-0 -0--1 
11liooadildaoooaoi a 








| 


We define afunction RowSwap to perform row exchanges in a matrix. 

| RowSwap(B_, i_, j_] := Module[{U, V}, 

| U= By Ve U[(i))]2 OL [4)) = OL (5) )7 Ul[5)}] = vs 0) 
Next we perform some column permutations on A to get a line ¢ as top row with all its points on 
the left. We use the Transpose function. 
B = Transpose([A]; 
B= RowSwap(B, 1, 7); B = RowSwap(B, 4, 13]; 
B = Transpose([B]; 


a 





MatrixForm[B] 

he ee ee icy ML Ta sev a eee 
pO oO OLTLOLTOOO1 O | 
pr oom oe rors do 0 0 
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Next we perform a number of row exchanges to get the subsets £; nicely aligned (.£; will appear 
in rows 2, 3, 4, £2 in rows 5, 6, 7, etc). 





Ho 


FrFFocoqgcpocpeeo se &é & EF 
HFoeroocorFoooFS 
SOrorcporaaoprHPSococaG 
SPrPeaooraooeroora: 


g tier 
1-0 
1 0 
a 
Oo l 
o 1 
ol 
a) 
o 0 
o 0 
o 0 
0 0 
o 0 


DoorPrFPPrPooO oO oO oO oF 
FPooorooorFroOoOS 
OCOorFOrFOoOFOCGCoO OFS 





The last 9 columns define the orthogonal array OA(3, 4, 1). For instance, column 5 minus its first 
entry looks like (1, 0, 0, 0, I, 0, 0, 0, I, 0, 0, 1). This vector is the concatenation offour three- 
tuples, each containing one I. It will be mapped to four entries in {1, 2, 3}, depending on whether 
the I is on the first coordinate, the second, or the third, therefore, column 5 will be mapped to 


(i. & 2 3). 


In this way the last 9 columns are mapped with the Mathematica functions Table, If,and Do to 
the 4 X 9 matrix: 
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This is indeed an OA(3, 4, 1) and hence it defines an A-code with | At| =4, |A| =9, |7 | =3 
and P; = Ps =1/3. 


Note that the last 9 columns in U (or A) can be further permuted to get 





13.3.4 A-Codes From Error-Correcting Codes 


In [JohKS93] it is shown how authentication codes can be constructed from error-correcting codes 
(EC-codes) and vice versa. In this subsection we shall show how to convert an EC-code to an A- 
code. Our description 1s slightly different from the original one. 


Let C be any (n, | C |, dy) EC-code over GF(q), 1.e. C is a subset of V(n, g), the n-dimensional 
vectorspace over GF(q), with minimum Hamming distance dy. The latter means that all elements 
in C, which are called codewords, differ in at least dy coordinates from each other. The dimension 
n of V(n, qg) 1s also called the length of C. 


Let C have the additional property that 
cEC = ¢t+AlLeEC, _ forall A € GF(g), (13.11) 


where 1 stands for the all-one vector. 


For instance, any linear code containing the all-one vector satisfies (13.11). Note that (13.11) 
implies that g divides the cardinality of C. 


The relation ~ defined on C by 


c~c: ifandonlyif c¢-c'=Al  forsomeA e€ GF(q), (13.12) 


defines an equivalence relation on C. Let M be a subcode of C, containing one representative from 
each equivalence class. So, M hascardinality |C| /qand C={m+A.1l|meM, A € GF(q)}. 


Let m;, 0 <i<|C|/q, be any enumeration of the codewords in M. As message set M for the 
authentication code that we are constructing, we take M = {0, 1, ...,({C{/g)— 1}. This means 
that we have a 1-1 correspondence between the subcode M and the index set M. It is often 
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convenient not to distinguish between these two sets. So, from now on we shall speak of message 
m; instead of message i. 


Example 13.9 (Part 1) 


Consider the binary linear code C with generator matrix 





This means that C consists of the 16 vectors in the (binary) linear span of the rows. It is easy to 
check that different codewords in C differ in at least 3 coordinates. This makes C a (7, 16, 3) code 
in V(7, 2). Some readers may recognize C as a Hamming code. 


That the all-one word is in C can easily be checked. 
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Itfollows that C satisfies (13.11). 


As subcode M of C we take all codewords in C with first coordinate equal to 0. So, M consists of 
the linear span of the lower three rows of G. The message set Af ={0, I, ..., 7} will be identified 
with M. 


The key set K of the authentication code that we are constructing, will consist of the pairs (i, A) 
with | <i<nand A € GF(q). So, K = {I, 2, ..., n} x GF(g) and | K | = ng. 


The authenticator g, (m) of message m € M under key k = (i, A) is simply given by 


8x (im) =m, + A (13.13) 
So, the authenticator set Tis just GF(q). 





(13,14) 
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P; = 1/¢. Ps = 1=dy jn. (Pst) 


Remark: 
To make Ps acceptably low, one needs EC-codes with dy close to n. For g-ary codes this is no 
problem, as we shall see in Example 13.10. Of course, g also needs to be large. 


Proof of Theorem 13.10: 


The parameters in (13.14) follow immediately from the construction. 


To compute P;, we note that an opponent who wants to impersonate the sender needs to find the 
right authenticator for his message m’. However, for each coordinate |<isn the set 
{m; +A|A € GF(qg)} is equal to GF(qg). In other words, each symbol occurs equally often as 
authenticator of m'. So, the probability that the opponent will choose the correct authenticator is 
1/q, independent of the choice of the authenticator and independent of the message m' that the 
opponent tries to transmit. This proves that P; = 1/g. 


An opponent who wants to replace an authenticated message (zn, t),(where ft = gy (m)) by another 
authenticated message, knows that the key in use 1s from a set of n possible keys (7, A).To be more 
precise, for each coordinate 1 < / < n there is exactly one value of A such that m; +A =t. 


The optimal strategy for the opponent who wants to substitute another authenticated message for 
(m, f) 1s to find a message mz’, m! +m, such that in g, (m')=t' for as many of those n keys as 
possible. This symbol 7’ is the authenticator for 42' that will be accepted most likely. 


It remains to show that t' will be accepted in at most m—dy cases, which implies that the 
probability of a successful substitution is at most (#-—dy,)/n = 1-—dy/n. This assertion follows 
from 


Hi, A) € (1, 2, ...n} x GF(g) (mm); +A =t &(m'),+A=t')| 
= |{Il sisn|(m-m'),=1-1}| 
=n—dy(m—in', (t —t') 1) 


<n-—dy, 


because m—m' and (tf —t')1 are different words in the code C (m and m' are in different 
equivalence classes). 


Example 13.9 (Part 2) 


To illustrate the second part of the proof above, we continue with the code of Example 13.9. If 
Alice wants to send message 7, she finds m with the Mathematica function IntegerDigits 


from: 
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{0,127 2) 


{0, 1, 1, Le O, 0, 1} 


(Remember that all messages had theirfirst coordinate equal to 0.) 


Suppose, that Alice and Bob have agreed upon key (3, 1),.. Then Alice will append _ the 
authenticator t =(m); +1 =0 (mod 2) to her message, therefore, Alice will send 





{7,:0] 


Opponent Eve, observing this codeword, can conclude that the key is in the set 
{Gi A)| 1 sis 7, m; +A =t(mod 2)} = {(, 0), (2, 1), (3, 1, (4 2D, ©, 0), (6, 0), (7, 1}. To _ verify 
this, we use the Mathematica functions Table and Mod. 





ta. 0}, (2,1), 43, 1}, (4, 1}, {5, 0}, (6, 0}. {7, 1}} 


Suppose now that Alice wants to send message 5. The corresponding codeword m' is given by 





{0150.47 6,1, 0}-% 


If Eve chooses t'=0 as authenticator she has a probability of 4/7 of getting her message 
accepted, because exactly four of the possible keys would lead to this authenticator. With 
authenticator t' = 1 this probability is 3/7. (We use the Mathematica functions Length and 
Intersection to test this. 
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Example 13.10 


The q-ary Reed-Solomon code of dimension k (see [MacW77]) has length n = q -—1 and minimum distance 
dy =n —k. By multiplying each coordinate with a suitable constant, one may assume that | € C. Theorem 


13.10 gives an A-code with parameters: 
[Ml=q" IK|=(q-l)q, IT |=. 
P;=1/4q, Ps sk/(q- 1). 


The method explained in this section is certainly not the only way to make A-codes from EC- 
codes. It does have the property that each impersonation attack has the same probability of success 


(namely | /q). 


Since every message can have each symbol in Y = GF(q) as authenticator, it follows that the 
codeword set C has cardinality | M|.g. This implies that Theorem 13.2 holds with equality. 


In [JohKS93] the authors also show how to convert an A-code into an error-correcting code. 
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13.4 Problems 


Problem 13.1 
Prove that properties PP-1,PP2,PP3 in Definition 13.5 imply that a projective plane also contain four lines, 
no three of which go through the same point. 


Problem 13.2 
Prove that the Fano plane is unique (apart from a relabelling of the points and lines). 


Problem 13.3 

Compare the Projective Plane Authentication Code construction (see Definition 13.6) with the 
authentication code with M = K =C = Z, defined by the one-time path, i.e. m—>c with c = m+k (modq). 
Also, answer this question when M is a random subset of Z, of size Vq ; 


Problem 13.4 
Check that the rows of the incidence matrix in Example 13.6 can be permuted in such a way that the matrix 
becomes a circulant (each row is cyclic shift to the right of the previous row). 


Problem 13.5“ 

Use the same technique as in Example 13.6, to determine the top row of an incidence matrix of a projective 
plane of order 5. 

Cycle this row around and check that it does define a projective plane of order 5. 


Problem 13.6” 
Convert the orthogonal array OA(4, 5, 1) in Example 13.7 into a projective plane of order 4. 


Problem 13.7 
Show that condition (13.11) in Theorem 13.10 can be replaced by the requirement that C contains at least 
one codeword of weight n. 


Problem 13.8” 
Repeat Example 13.9 (both parts) for the ternary (11, 3°, 5) code generated by 





14 Zero Knowledge Protocols 


Cryptographic protocols are exchanges of data between two or more parties following a precise 
order and format with the goal of achieving a particular security. Of course, the above definition is 
not very precise, but we have already seen some examples of cryptographic protocols. One is the 
identity verification protocol in Subsection 4.1.2, another is the Diffie-Hellman key exchange 
protocol in Subsection 8.1.2 and a few others are mentioned in Section 8.2. 


A zero-knowledge proof is a technique to convince somebody else that one has certain knowledge, 
without having to reveal even a single bit of information (or a fraction thereof) about that 
knowledge. As a consequence, the verifier nor any passive eavesdropper gains any information 
from taking part in any number of executions of the protocol. 


One may think of using a zero-knowledge protocol in the situation that one wants to use an ATM 
to withdraw money from a bank account. Instead of having to enter a PIN-code it should be 
enough to convince the teller that one knows this PIN-code. One wants to do this in such a way 
that no information about the PIN-code is released. In the next section, we shall give an example 
of how this can be done. In Section 14.2, another identity verification will be presented. 


14.1 The Fiat-Shamir Protocol 


As in Subsection 4.1.2, we are again in the situation that a smart card wants to convince a smart 
card reader that it is genuine. A trusted party that has to issue these cards selects a large composite 
number n, for instance n is the product of two large primes p and g, just as in the RSA system. The 
number n is a system parameter known to all parties. 


The security of the Fiat-Shamir protocol |FiaS87] will be based on the assumption that taking 
square roots modulo a large composite number n is, in general, intractable. This is the same 
assumption that was made in the Rabin variant of the RSA system (Section 9.5). In Theorem 9.18, 
it was shown that the problem of finding a square root modulo a composite number is as hard as 
factoring it. 


The trusted party computes an identity number ID for the smart card that should have the 
additional property that 
ID = s* (modn) (14.1) 


for some integer s. The number ID may be computed from the name of the card holder and other 
relevant data, but a few bits should be left open for the trusted party to complete in order to make 
ID the square of an integer modulo n (ID has to be a quadratic residue mod p and mod q). 
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The trusted party computes the square root s of ID (it can do this, because it knows the 
factorization of n, see Subsection 9.5.3) and stores s in a segment of the memory of the smart card 
that is not accessible from the outside world. 


One round of the Fiat-Shamir Protocol is depicted in Figure 4.1 below. 


Smart Card Card Reader 


knows s, ID, n knows n 
ID 


generates arandomr 
computes t = (r* mod n) 


selects randome from {0, 1} 
computes u = (r.s* mod n) 


checks if u? = t. ID® (mod n) 


Fiat-Shamir identification protocol (one round) 


Figure 14.1 


The smartcard or card holder makes the identity number ID known to the card reader. To prove 
that the card was indeed issued by the trusted party, the card wants to convince the card reader that 
it knows s, the square root of ID modulo n. 


To this end, the card generates a random number 7, computes its square 
t = (r* modn) (14.2) 


and sends that to the card reader. In the jargon of this field, t 1s called a witness to the card's 
knowledge of r. 


The card reader selects a random number e from 10, 1} and presents that as a challenge to the card. 
How the protocol responds to the challenge depends on the value of e. 


Ife = 0, the card simply sends the random number r back. The card reader then checks if its square 
is indeed equal to the value ¢ that it received earlier from the card. 


Ife = 1, the card computes u = r.s, the product of the random number r and the secret square root 
s, and sends u to the card reader. The card reader checks if u? is indeed equal to tx ID modulo n, 
which should be the case, since t = r? (modn) and ID = s? (mod n). 


In Figure 14.1, these two alternatives are combined in the response u = (r.s*° modn). The card 
reader checks if 
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u? = t. ID (mod n). (14.3) 


It may be clear that if the card can supply r (when e = 0) and at the same time can supply r.s (when 
e = 1), it must know the square root s of ID. It is also clear that if the smart card fails the test in 
(14.3), the card reader will reject the smart card. 


If an unauthorized smart card knows beforehand the value of the challenge e, it can fool the card 
reader. This is obvious in the e =O case. In this case, the smart card takes a random y, presents 
t=(r?> modn) as witness and later presents r itself as response. The secret square root s never 
played a role in these calculations. 


If the illegitimate card knows that the challenge will be 1, it generates a random r, computes 
t=r7/ID(modn) and presents this value of t to the card reader. After having received the 
challenge e = 1, the smart card will present u=r. The card reader checks (see (14.3)) if u? is 
congruent tot. ID modulo zn. This is obviously the case with u = r andt = 7° /ID(modn). 


Note that the unauthorized card can not meet the challenge if he makes the wrong guess about the 
challenge. So, it will be caught with probability 1/2, if the smart card selects its challenge at 
random. 


For this reason, smart card and card reader will run k times through the above protocol, where k is 
a security parameter. A smart card that does not know the value of s can guess the k random 
challenges with probability (1/2)*, so it will be caught with probability 1 — (1/2). 


The card should not use the same random number r twice, because as soon as the card reader 
knows both r and r.s (through uw), it can calculate the secret square root s. 


The idea of proving certain things without revealing any information about it 1s counter-intuitive, 
but very powerful. There is a growing field of applications of zero-knowledge proofs. 


Examples are electronic voting schemes that make it possible to cast votes in an anonymous way. 
On the other hand, the voter will be caught when attempting to vote twice. In these schemes, it can 
be checked that all votes have been counted in the final tally. 


Another application 1s a payment system that allows you to withdraw money from your account in 
digital form and spend it anonymously. Even your own bank can no longer trace it to you. 
However, if you try to double spend the money, your identity can be recovered. 


14.2. Schnorr's Identification Protocol 


Schnorr's identity verification protocol [Schn91] is based on the difficulty of the discrete logarithm 
problem (Table 8.1). As in the Diffie-Hellman scheme, all participants share some parameters. 
First of all there is a finite field GF (q) (this could be Zg,if g is prime) and a prime divisor p of 

gq —1. Let w be a primitive element of GF(g) and take a = w9-!”/P, Then a is a primitive p-th root 
of unity. This means that 1, a, ..., @?~'are all different and that a? = 1. 
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Example 14.1 (Part 1) 
Let p = 104729 and q =8 p +1 = 837833. Take w =3 and a = W9~"P = ¢f = 6561. To check that q is 


prime and that w = 3 is a primitive element in &, (which makes @a primitive p-th root of unity), we use 
the Mathematica functions Prime, PrimeQ, and the function MultiplicativeOrder (defined in Appendix 


D) which computes the multiplicative order ofan element. 





104725 


837833 
True 
837832 
6561 


Each participant P (P for prover) selects a random secret exponent xp, computes yp = a*?, and 
makes this value public. It is assumed that other participants are able to verify that yp is indeed P's 
public parameter. This can be realized if a trusted authority signs ypor if the public values are 
posted on a trusted "bulletin board". If someone else, say V for Verifier, wants to check P's identity 
yp he does this by checking that P knows the corresponding xp. Of course, P does not want release 
the secret value of xp to anyone. Therefore, he uses a cryptographic protocol to convince V that he 
has knowledge of xp. 


Example 14.1 (Part 2) 


Prover Phas identity number yp =693 and_ secret exponent xp = 18126. Indeed, 
8126 = 693 (mod q). 
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Schnorr's identification protocol goes as follows. The verifier is presented with P's identity number 
yp. Next, prover P generates a random exponent r, 0<r7< p, computes g =a’ and presents this 
value o to the verifier V as a witness to his secret xp. The verifier selects a random number s, 
0<s <p, and hands this to P as challenge. Prover P responds by computing u=r+s.xp and 
gives this value to V. The verifier checks that a” = g.(yp)*. This relation should hold, because 
a" = a" *§*P = a” (a*?)S = 9.(yp)’. This scheme is depicted in the following diagram. 


Prover Verifier 


knows Xp, Yp, PP, G, a knows PD, q, & 


Yp 
——— 
generates randomr from Zp 
computes 0 = a” 
p 
———————-—.> 
selects randoms fromZp 
s 
€ ———_ _.- 
computes u=r+sS.Xp 
modulo p 
u 
——_» 


s 


checks if @" =. (yp) 


Schnorr's identification protocol 


Figure 14.2 


Example 14.1 (Part 3) 


In the input below, the above protocol is executed. The Mathematica functions Random, Mod, and 





PowerMod are used 





witness is 36431 
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challenge is 29041 


response is 65643 


True 


Of course, the prover will only be able to give the right response if he knows xp satisfying 
a*P = yp. If he does not know xp, he can guess the correct value of u with probability 1/ p. The 
value of p will be very large to make the discrete logarithm problem intractable (see Subsection 
8.1.1). 


Note that in the relation u=r+s.xp only the values u and s are known to V. In other words, the 
random value r makes sure that no information on x, 1s leaked to V. This observation also shows 
that the prover should not use the same random number r twice. Indeed, from two relations 
uy; =r+s,.xXp and uw =r+s2.xp with known 5s}, s2, 4, and &% the verifier can easily determine r 
and the secret xp. One has xp = (u; — u2)/(s; — 52). 


Example 14.1 (Part 4) 


For the same witness, we generate a second challenge and response. 


a a 










m[Integer, p); Print("second challenge is ", ss] 
uu = Mod[r+sa*xP, p); Print(["second response is ", uu] 
PowerMod[al, u, q] == Mod[rho+*PowerMod[yF, s, q]- a] 


ee ee 





SS SS 





second challenge is 62706 


second response is 21550 


True 


Tofind x, we compute xp = (u; —u2)/(s; —S2): 


Mod | (u - uu) *« PowerMod|(s - ss, -1, pj], p] 





LB126 


The value 18126 is indeed the secret exponent X, ofthe prover. 


14.3 Problems 


Problem 14.1” 
Duplicate Example 14.1 for p = 113.Find a suitable value for g. 


15 Secret Sharing Systems 


15.1 Introduction 


In this chapter we shall not introduce a new cryptosystem, but we shall discuss a related topic. We 
start with an example from [Liu68]. 


"Eleven scientists are working on a secret project. They wish to lock up the documents in a 
cabinet so that the cabinet can be opened if and only if six or more of the scientists are present. 
What is the smallest number of locks needed? What is the smallest number of keys to the locks 
each scientist must carry?" 


Clearly, for each 5-tuple of scientists there has to be at least one lock, that can not be opened by 
them. Also each of the six remaining scientists has a key of that lock. More than one such lock per 


1] sae . 11-1 
5-tuple is not needed. So, ( 5 locks are needed and each scientist carries ( 5 keys. These 


numbers can be calculated with the Mathematica function Binomial. 






Binomial[11, 5] <a 


oe 


The solution above is of course not very practical. Similarly, the described situation is not very 
realistic. However, there exists very real situations where one wants to share some sensitive 
information among a group of people, in such a way that only certain privileged coalitions are able 
to recover the secret information. Examples are a masterkey of a payment system or a private key 
that one does not want to store in a single place. 


In a general setting, if P is a privileged group of people, meaning that they should be able to 
recover the secret data, then any other group containing P as a subgroup, should also be privileged. 
Also, if N is not privileged then any subset of JV should not be privileged. 
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Definition 15.1 

An access structure (U.P, Nv) consists of finite set U (of users), and two disjoint 
collections # and N of subsets of LU (F for the privileged subsets and WN’ for the non- 
privileged) with the property that 


Per, PcBcU = HeP, 


In the example above, U = {1, 2, ..., 11}, P consists of all subsets of U of size at least 6 and N of 
all the other subsets of U. It 1s a special case of what is generally called a threshold scheme. 


It is often convenient to list only the set of the minimal elements of P, denoted by #~, which can 
be obtained from ? by leaving out each element of P that properly contains another element of P. 
Similarly, one often represents N’ by the subset A’ consisting of its maximal elements. 


An access structure 1s called complete or perfect if each subset of U is either in P or in N. 


Definition 15.2 

Let 5 be a random variable defined on a finite set S. Assume that 5 is uniformly 
distributed on S. 

Let “! be a collection of m participants, each having obtained a particular element 5; out 
of 5S from some trustworthy authority. Further, let (L', ?, A) be an access structure. 
Then the collection {5;},.y is called a secret sharing scheme for (L', P, MN) if it satisfies 
the following two properties: 


[SSS1] each privileged group P of participants (Pe?) can compute the secret 5. 
| [S882] each non-privileged group 4 of participants (NEV) can not compule any 
| information on 5. 





The value $; (to be called the share of i) should be interpreted as partial information of participant 
1 on the secret S. In information theoretical notation (see Chapter 5), SSS1 and SSS2 can be 
reformulated as 


[SSS1] H(S | {Siiep ) = 0 for any PEP. 
[SSS2] A(S | {Sitien ) = H(S) for any NEN. 


Note that in secret sharing schemes that are not perfect, there may be coalitions C, C¢ PU WN, of 
participants that are able to recover some information on the secret S (so, H(S|{Si}iec ) < H(S)) 
without being privileged. 
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15.2 Threshold Schemes 


A secret sharing scheme {S;},<;<, 18 called an (n, k)-threshold scheme, if F consists of all subsets 
of U of cardinality =kand N consists of all subsets of U of cardinality <k- 1. By definition, a 
threshold scheme is a perfect secret sharing scheme. Properties SSSI and SSS2 can be 
reformulated as 


[TS1] Knowledge of k or more different $;'s makes S computable. 


[TS2] Knowledge of at most k — 1 different S;,’s leaves the secret S completely undetermined, more 
precisely all possible values in 5 are still equally likely. 


Shamir describes (see [Sham79]) the following general construction of (k, n)-threshold schemes 
when ,S is a finite field GF(qg), where g has to be larger than n. Here, we shall assume that g is a 
prime number, say q=p, in which case S is just Z,, the set of integers modulo p. The 
generalization to GF(qg) will be immediate. 


This system is based on the well known fact that a line is uniquely defined by any two points on it, 
that a parabola is uniquely defined by three points on it, etc. In general, a polynomial of degree 
k — 1 is uniquely determined by any k points on it. 





Example 15.1 (Part 1) 


In order to construct a (10,4)-threshold scheme for secret S=17in £#}9, we hide the secret in the 
polynomial f (x) (note the use of the Mathematica function Mod) 
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where the coefficients of x/,1 < j < 3, are selected at random from 219. 


The values of the shares can be computed with the Mathematica function Table. 





014.3} ,-(2.:5}, (3,25), (4, 6}, {5, 8}, 


To check that the values S;, 1 < isn, given by (15.2), forma (n, k)-threshold scheme, we have to 
check the two conditions TS1 and TS2. 


Ad TS1: 


Suppose that participants 1, i, ..., 4 combine their shares S;,, = (i, f(i))), Si, = (iz, f(i2)), --, 
Si, = (ix, f(ix)). With the LuGrange Interpolation Formula, it is quite easy to determine f(x). 
Indeed, 


fle) = Lier FW) Maven (15.3) 


“i 7 
since the expression on the right hand side has degree k — |,just as f(x)does by (15.1). and since 
the right hand side takes on value Si, = fj) for x=1;, 1 < js k,justas f(x) does. 


Note that by (15.1), the secret S$ is given by f(O), therefore, in the calculation of the Lagrange 
Interpolation Formula, one can take x = Oright from the start. 


Example 15.1 (Part 2) 


Suppose that participants I, 3, 6, and 9 want to retrieve the secret §. They pool their shares (1, 3), 
(3, 15), (6, 13), and (9, 4). 
The LaGrange Interpolation Formula can be performed with the Mathematica function 


InterpolatinPolynomial. The function PolynomialMod isused for the reduction 
modulo 19. 





17+ 7x+12x7+5x : 


The value of the secret S is the constant term in this expression. So, S = 17. 
Ad TS2: 


Suppose that shares ,$;,, S;,, ..., 5;,,are known for some / < k.It follows from (15.1) and (15.3) that 


k-/-1 


there are exactly g polynomials g(x) satisfying g(i,) =$;,, | <u s/, and with any fixed value 
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for g(0). 


Indeed, for any fixed value of g(O) and any fixed group of k ~/ — 1 other participants and any given 
set of imaginary values of their shares, there 1s unique g(x) meeting all requirements. This is a 
direct consequence of the LaGrange Interpolation Formula. 


Example 15.1 (Part 3) 


Suppose that participants I, 3, and 9 attempt to retrieve secret S by pooling their shares (1, 3), 
(3, 75) and (9, 4). 


Then the secret S can still take on any value (and each of these values is still equally likely). 
Indeed, adding the pair (0, S) to the above three shares leads to a unique polynomial through 


(0, S) and the three shares. This follows from the LaGrange Interpolation formula and can be 
checked as follows. 


| Clear [x] 
, 


| Table[ {8, PolynomialMod[ InterpolatingPolynomial[ 


{{0, @}, {1. 3}. (3, 15}, (9, 4)}. =], 19)), 
| {s, 0, 18} ] // TableForm 
0 2x43 

1 1+9x+5x'+7x 

2 24+16x+9x'+14x' 
3 3440413 27°+2% 

4 Selix+17x749x7 
5 5418x+2x7 + 16x 
6 64+6x+6x'4+4x7 

7 7413x+10x7+11x 
8 B+x4+14x7+18x 

Ee) 9+8x+18x° +6x? 
10 104¢15x+3x7+13x° 
11 11+3x+7x? +x’ 

L2 12+10x+11x°+8x 
13 13¢47e+15x°+15%° 
14 144543? 

15 15+12%+4x* + 10x°* 
16 16+8x74+173 

17 17+7x+12x7+5% 
18 18+14x+16 x7 +122 

Remark 1: 


In the generalization to arbitrary fields GF(q), the n participants are labeled by different non-zero 
field elements a;, 1 < i <n, and the share S; of the i-th participant will be the pair (a;, f{a;)). 
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A way to realize this is to choose a primitive element (generator) a € GF(q), label the participants 
from | ton and give the i-th participant as share the pair (i, f(a’). 


Remark 2: 


The threshold scheme explained here assumes a trustworthy authority. It is also a system that can 
be used only once. As soon as participants have exchanged their shares to retrieve the secret, these 
shares are compromised. A new set of shares has to be set up for later use. In the literature one can 
find proposals that relax these conditions. 


15.3. Threshold Schemes with Liars 


In [McE181] a variant of the construction above is proposed, that can handle the situation that 
some of the participants provide false information, so the share they provide does not have the 
correct value. Some participants may want to do this to prevent others from getting access to the 
secret data. It will turn out that it takes two extra shares to recover the secret for each incorrect 
share that is contributed. So, if k + 2+ participants pool their shares to recover the secret, at most f 
of the shares should be false. 


Construction 15.2 

Let S be a secret from GFig), for some prime power qg, and let a), a2, ..., 0, #2q-1, 
be a list of « different non-zero elements in GF(g), eg. a; =o', | sis, for some 
primitive element a in GFig). 

Consider f(x)=S+a,x+a;x°+...4a,.;"', where the coefficients ay, 
l= y2k— 1, are randomly selected from GFig). 

The pair (a;, f(a;)) will be the share 5; of the i-th participant. Suppose that k +21 
participants (k+2f=) pool their shares and assume that at most ¢ of these are 
INCOrrect. 

Then each of these participants can efficiently compute f(x) and recover So. 
Moreover the incorrect shares can be identified. 


Proof: The polynomial f(x), used to compute the shares, is of degree <k-1 and has the 
additional property that at least A +r of the correct shares lie on it. Could there be another 
polynomial, say g(x), with the same properties? The answer is no. Indeed, since there are only 
k +2t shares, any two subsets of at least k + f correct shares must have an intersection of at least k 
(honest) shares. These k shares lie on f(x) and on,g(x). Since both f(*) and g(x) have degree at 
most k — 1, it follows that f(x) = g(x). 


To determine f(x) the participants can try out all possible functions of degree <& — Ithrough k of 
the shares until a function passes through =k ++rof them. Of course, this is not an efficient way. 
For an efficient technique, the theory of error-correcting codes is needed (as in Chapter 11). The 
shares that are defined above in fact define codewords (f(a), f(a@2), ..., f(@,)) in a so-called 
shortened Reed-Solomon code with parameters {n, k,n —k + 1]. 
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We refer the reader, who is not familiar with this theory, to [MacWS77], Chapter 11. Both the 
Berlekamp-Massey algorithm or the Euclidean algorithm give efficient ways to decode this code. 
In the context of our problem, where k +212 shares are known, one has to interpret the other 
n-k—2t shares as erasures. If the number of erasures plus twice the number of errors is less than 
the minimum distance of a code, one can still correct these errors and erasures. Here 
(n-k~21)+2.1 is indeed less than n—k +1. Efficient algorithms exists (see [Berl68], Section 
10.4 and [SugK76]) to correct these errors and erasures for Reed-Solomon codes. 


Remark 1: By taking t = 0 Construction 15.2 reduces to Construction 15.1. 


Remark 2: If only k +24- 1 shares are available and t of them are incorrect, then f(x) is not 
necessarily uniquely determined. For instance, it is possible that of k + 2¢—~1shares all of them 
except the first ¢ lie on one polynomial of degree k — 1,while all these shares except the last t¢ lie 
on another polynomial of degree < k — 1 (the intersection of the shares sets has cardinality k — 1). 


In this case, there is however partial information on the secret. 


Example 15.2 
Considerk = 3,t =1 and p =17. 


Of the four shares (1, 4), (2, 1), (3, 5), (4, 4), each three define a parabola, leaving the other point as 
incorrect value. 
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Of the 17 possible secrets four are possible, all with equal probability. 


15.4 Secret Sharing Schemes 


Although there is a lot of literature on secret sharing schemes, there are also many central 
questions that still need to be answered. For this reason, we only discuss one example of a secret 
sharing scheme. The reader is referred to [Bric89] and [Dijk97] to find a discussion of various 
generalizations of the technique explained here. For a general introduction to secret sharing 


schemes we refer to [Stin95]. 


Assume that we have as access structure the set (U,P,N) with U =({1, 2, 3, 4}, 
P ={{1, 2}, (2, 3}, (3, 4}} and N* = {{1, 3}, (1, 4}, {2, 4}}. This means that any subset of U 
containing both users 1 and 2, or users 2 and 3, or users 3 and 4 1s a privileged set, while any other 
combination of users is non-privileged. Figure 15.1 depicts this situation. 





An Access Structure with Four Participants 
@ means privileged, © means non-privileged 


Figure 15.1 


The secret sharing scheme for this access structure will be set up in two steps. In the first step we 
want to share one bit (or byte or string) of information among the four participants. 


Let s be a secret bit that we want to share among the participants of our access structure (U, P, N). 
The trusted authority selects two random bits a and b and gives the following shares to the 


participants: 
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participant share 


1 a 

2 s+a, b 
3 s+b 
4 b 


A Secret Sharing Scheme with One Secret Bit 
Figure 15.2 
The + sign stands for addition modulo 2. The reader may easily verify that this scheme meets 


requirements SSSI and SSS2. For instance, participants | and 2 can compute 5 from a+(s+a), 
where a comes from | and s +a from 2. 


Example 15.3 


For instance, if the Trusted Authority wants to share secret s = 1 among the four participants, he may 
choose a = 1 and b = 0. The shares of I, 2, 3, 4 will be I, resp. (0,0), I, 0. 


Participants 2 and 4 can not recover s, because they only know s +a and b (twice). Participants 3 and 4 
can recover the secret s by adding their shares s +b and b: 1 +0= 1. 


We see that in the scheme of Figure 15.2 participant 2 has to store twice as many bits as 1s the size 
of the secret. This ratio can be improved by superimposing a permuted version of the scheme to 
itself. 


Hence, now we consider a secret consisting of two bits s; and sz .The trusted authority selects four 
random bits a, b, c, and d. He gives the following shares to the participants: 


participant share 
1 a, ¢ 
2 S; +a, S2+¢, b 
3 S;+b, s2+da,c 
4 Da 


A Secret Sharing Scheme with Two Secret Bits 
Figure 15.3 


In this scheme, the ratio between the size of the secret and the size of the longest share (this ratio is 
called information rate) is 2/3. It can be shown that such a ratio is always at most 1. Secret 
sharing schemes that have an efficiency rate equal to 1 are called ideal. 


There is a general matrix description of constructions of the above type. We shall explain it again 
for the example above. 


The secret sharing system is described by the matrix G7, of the trusted authority and the matrices 
G; of the participants 1,2, 3, and 4. The first two columns are labeled by the secret bits (s; and sz) 
and the next four columns by the random variables (a, b, c, and d). Each row of G; represents one 
entry of the share of participant 7 (expressed in terms of the secret bits and the random bits). The 
same holds for Gra, where we view 5s), 52 aS his share. 
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To see that these matrices indeed represent the secret sharing scheme we multiply them with the 
vector (5), $2, a, b, c, a). 


= rel ie 
ml, aa Sete ra 


4o ie. 
i el ie | rs 
1c, é a, a1, , 82) 3 


Fo ean ee 


=o AE la i 


om ‘ 
= bot 





{s1, 62} 

{a, ¢} 

{a+el, c+82, b} 
(b+ sl, d+e2, c} 
{b, d} 


We get the secret of the trusted authority and the shares of all the participants, so this is exactly the 
scheme that we had above. 


The properties of a secret sharing scheme can now be translated as follows. 
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‘Si cok males Ge abl Ge Ve U. describe a secret sharing scheme for aces 
strocture (U', P, ND if and only if 

foreach privileged sete Peach row of rg lies inthe liner span of the rows ofthe 
matrices Gj,f A, 

ii) for each non-pr 
the mates Gate B 


To check that the first row of G74 lies in the linear span of the rows of G; and G2 we use the 
Mathematica package _— LinearAlgebra'MatrixManipulation' and the functions 
AppendColumns, MatrixForm, LinearSolve, and Transpose. 
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{1, 0, 1, 9, 9} 
This shows that the first row of Gy, 1s the modulo-2 sum of the first row of G, and the first row of 
Gp. 


Similarly, one can verify that sz can not be recovered by participants | and 3 in this way: the 2-nd 
row (and also the 1-st) of Gr, is not in the linear span of the rows of G; and G3. 





(0, 1, 0, 0, 0; 0} 
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LinearSolve: :nosol : 


Linear equation encountered which has no solution. 


LinearSolve| 
{{0,(0, 1,0, 0}),.{0, 0,.0, 1, 0}, {1, 0, 0, 0, 0), 40, 4, 1,0; 61, 
{O, i, Oo, 0, 1}, 19, 0, 0, 1, O}}. {o, 1, 0, 0, 0, 0}, Modulus + 2] 


We conclude this section by remarking that it is not so much a problem to make a perfect secret 
sharing scheme for a particular access structure, as it is to make an efficient one, i.e. with high 
information rate. Indeed, an inefficient secret sharing scheme for a particular access 
structure (U, P, MN’) goes as follows. Let s be the secret to be shared. For each AEF, select 
random bits a”), 1<i<|A| ,satisfying the binary congruence relation: 


SIA a = s(mod2), AEP. 


Ifu € A, then participant u gets one of these a’. 


In the example of U = {1, 2, 3, 4}, P” = {{1, 2}, {2, 3}, {3, 4}} and N* = {{1, 3}, {2, 4}, {1, 4}} we 
get in this way as share for secret s: 


participant share 
1 a(t? 
2 al?-?! +S, aver! 
5 aor +S, ao 
4 al? as 
A more compact way to denote this secret sharing scheme is 
participant share 
1 a 
2 a+s, Db 
3 b+s, Cc 
4 c+s 


This scheme has efficiency rate 1/2 and uses three random variables, as opposed to the two random 
variables in the scheme of Figure 15.2. 
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15.5 Visual Secret Sharing Schemes 


In visual secret sharing schemes the secret to be shared consists of an image consisting of black 
and white (or of colored) pixels. Here we shall only discuss the black and white case, where 
"white" should be understood as "transparent". For instance, the number 3 can be depicted as 
follows. 





3 


The shares consist of transparencies of the same shape also with black and white pixels. The idea 
of a visual secret sharing scheme for an access structure (U, P, N) is that privileged subsets of 
participants should be able to determine the secret by putting their transparencies on top of each 
other, while non-privileged subsets should obtain no information on the secret from their shares. 


A visual secret sharing scheme can not be realized in a straightforward way. As soon as a pixel in a 
particular share is black, the corresponding pixel in the secret will also be black. To solve this 
problem, each pixel in the secret and in the shares will be subdivided in m subpixels, where m is 
called the expansion factor of the scheme. The assumption will be that two visual threshold values 
O0<a< # < lexist such that: 


¢ if at most a.m subpixels of a pixel are black, the pixel will be interpreted by the human eye as 
white, 


e if at least B.m subpixels of a pixel are black, the pixel will be interpreted as black. 


If the number of black subpixels lies strictly between a.m and 8.m, we assume that the human eye 
will not decide. The difference $-a is an indication for the level of contrast that is still present in 

an image if all pixels meet one of the above two requirements. There is biological evidence 
supporting the assumption that it is the relative difference in light intensity that is of importance to 

the human eye. See [VerT97] for a longer discussion. 


In the context of visual secret sharing schemes, we have additional problems to face. For instance, 
if the shares of a non-privileged set are put on top of each other and a pixel contains more thana.m 
black subpixels, we know that the secret will be black at that place. Of course, such situations have 

to be avoided. 


It should be clear that once we have a visual secret sharing scheme for one pixel, we can use it for 
the other pixels too, creating in this way a visual secret sharing scheme for the entire secret.. 
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Here, we shall only explain a visual secret sharing scheme for a (n, 2)-thresholdscheme. This 
means that any two participants should be able to recover the secret, while a single person should 
have no information at all about even one pixel. Before we do so, we describe the simple case 
where there are just two participants. We make the expansion factor m= 2. Let us call the 
following two subdivisions of a pixel L and R (for left black resp. right black): 


a )|hlUCé<i‘;SCaS 


L, R 


It is clear that L and R put atop each other gives a black pixel, while both L+L and R+R are still 





half white and half black. Therefore, we can make a construction with threshold values a = 1/2 
and $= 1. 


Construction 15.4 

To share a white pixel, the trusted authority gives with equal probability either to both 
participants L or to both participants R. 

To share a black pixel, the trosted authomty gives with equal probability to one 
participant L and to the other R. 

This gives a (2, 2)}-visual threshold scheme with expansion factor m = 2 and threshold 
values @ = 1/2 and P= 1. 


Below we give an example of possible shares that participants | and 2 have for the secret number 
3 above. 





Share 1 Share 2 


The reader can verify this by making transparencies of these two shares and putting them on top of 
each other. 


There are many constructions known of (n, &)-visual threshold schemes. We shall describe a 
general construction for k = 2. Each particular implementation of the construction will lead to its 
own values for the expansion factor m and the threshold values @ and £. It makes use of twonxm 
matrices, My and Mg, that will be used to distribute shares among the n participants for a white 
resp. black pixel. These matrices are further characterized by two values r and A and have to 
satisfy the following properties: 


r m-r 


VTS1: Matrix My consists of n identical copies of row 11 ...100...00. 
VTS2: All row sums in Mg are equal to r. 


VTS3: Every pair of rows in Mg has inner product A. 
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The numbers m, a, 8, r, and A will be related. They can not take on any value. 


Example 15.4 (Part 1) 


Take n = 4 and m = 6. Let the matrices My and Mg be given by 





Note that Mw and Msg satisfy properties VTSI-VTS3 for r=3and A=1. 


The matrices My and Mz define two classes of » x m matrices: 
My ={My.P| Pisamxm permutation matrix}, 
Mg = {| Mz.P| Pisamxm permutation matrix}. 


To distribute the shares for a particular pixel, the trusted authority takes either My or Msg, 
depending on whether the pixel is white or black, permutes the columns in a random way and 
gives thei-throwtoparticipanti, 1l<i<n. 

Participant j makes the j-th subpixel white or black, depending on whether the j-th coordinate of 
his share is 0 or I. 


Example 15.4 (Part 2) 


Suppose that the pixel that needs to be shared is black. The trusted authority selects a random 
permutation P with the Mathematica package DiscreteMath'Permutations' and the function 


RandomPermutation as follows 





This gives rise to the following permutation matrix (we use the functions Table, Do, and 


MatrixForm): 
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Putting the six subpixels in a 3X2 array in rowwise order, we get the following four shares for 


this black pixel: 





Share 1 Share 2 ‘awe 7 Share 4 


The reader can easily check that any two of these shares, when put atop of each other, will give 


five black subpixels and one white. 


Ifthe original pixel would have been white, we would have had 
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This means that allfour shares would have looked like 





Each Share 


Since each row in both My and Mg has the same number of ones (namely r) and since My and 
Me are made from these by multiplying them on the right by all possible permutation matrices, it 
follows that each vector of length m and weight r occurs equally likely as a share for a white pixel 
as for a black pixel. This shows that our construction has as lower visual threshold value @ = r/m. 


Because My is multiplied by a permutation matrix, it follows from VTSI that when two 
participants have shares of a white pixel and they combine them, they do not gain anything. 


On the other hand, any two rows of Mg have weight r by VTS2 and inner product Aby VTS3. This 
remains so if Mg is multiplied by a permutation matrix. It follows that any two shares of a black 
pixel have 2r—A entries equal to one. In the example above r= 3 and A= 1, giving 2r-A=5 
ones in any combination of two shares.We conclude that the construction by means of My and 
Msg has a higher visual threshold value 8 = (2 r—A)/m. 


We have proved the following general construction: 


Construction 15.5 
| Let My be an a Xm matrix sansfying properties VTS2 and WTS3 for certain values of r 
and A. Let My be of the form given by VTS1. Further, let Aly and Mg be the sets 
| obtained from My resp. My by multiplying them on the nght with all possible 
permutation matrices. 
Then a random choice of a matrix from Afty in case of a white pixel and a random 
choice of a matrix from Mg, leads to (nm, 2)-visual threshold scheme with expansion 
| factor m and threshold values @ = r/m and B = (2 r—A)j/m. 
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Corollary 15.6 
Take any ma and let w be some value in between 2 and mn—1. Let Mg be the matrix 


Al 
consisting of all columns of length mn and weight w. Then My, has m = columns. 
Li 


-1 
Moreover, every row of Mag has weight r= ” = } and any two rows have inner product 


a= 


This defines a (mn, 2)-visual threshold scheme with expansion factor m= (") and 
threshold values o@ = u/nand § = (2n—u+ 1)/m(n— 1). 


By taking n=4 and u=2 in the above corollary, one gets the construction of Example 15.4. 


Indeed, m = (") = (3) =6,r= (" - ; = (") =3 and A= (" - ,) — (;) = 1. The visual threshold 


values are given by a =2/4=1/2and B=5/6. 


A disadvantage of the family of constructions described in the Corollary above, is the high 
expansion factor m. 


A reader who is familiar with the theory of block designs and t-designs may have guessed from 
conditions VIS2 and VTS3 that these notions often play a role in the construction of a visual 
threshold scheme. We shall explain one particular construction. 


Let p be any prime number. We recall from Definition A.9 that an integer u, | <u < p,is called a 
quadratic residue (QR) if the congruence relation x’ =u(mod p) has a solution in Z,. How to 
determine if a number uw 1s a quadratic residue is explained in Section A.4. With Mathematica one 
can do this with the function JacobiSvmbol, which will output | if and only if M is a QR. 


For instance, that x* = 12 (mod 13) has a solution (namely +5)follows from 


= = SSS 


‘ u s 12; m=13; JacobiSymbol[u, nm] 





The Jacobi symbol is normally denoted by ia) or just by (uw), if there is no confusion about the 


value of p. Actually, the value of y(u) is defined to be 0, when u = Oand ~—lwhen 1 su < pand u 
is not QR. 
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| Corollary 15.7 
Let p be any prime that is congruent to 3 mod 4. Define the p= p matrix My by 
l, if fj-iisQR, 


(Min); ; = 0, otherwise. 


Then every row of My, has weight r=(p—1)/2 and any two rows have inner product 
A=dp = 3)/4, 

This defines a(n, 2)-visual threshold scheme with expansion factor m =A and threshold 
values a = (p—1)/2 pand § = (3 p— 1)/4 p. 





Proof: 


Fixing a row index 1 of Mg we see that 7-1, 0 < j < p, takes on all values in Z,,. It follows from 
Theorem A.20 that each row in Myghas weight (p — 1)/2. 


Now consider the matrix X = (x(7 — ))ej,jcp-Matrix Mgcan be obtained from X by replacing all 
its -1 -entries by 0. Consider two rows of X and let them be indexed by fjand 1.Note that 


_. ThA.2I _ . . Cor.A.24 oo, 
Xi -f) = Xl-1) Xe - 4h) "Ss —X(i2 — 1). 


This means that the matrix X is skew-symmetric and that the i-th entry in row 7; 1s equal to 
minus the /,-th entry in row é. We conclude that, apart from a reordering of the coordinates, rows 
i; and #2 will look like 


em a eit tN 


where the two rows may have been interchanged. 


The inner product of rows 7; and #2 in Mg is given by the value of a (since all —I's in X are 
replaced by 0 to get My). To find the values a, b, c, d we calculate first 


PMG i) YU — 22) = Do XD = (in - fy) =< E. (15.4) 


The first equality follows from the substitution ;-—i,; > j, the second one follows from Theorem 
A.22, since i; # % mod p. 


Hence, we have the following relations: 


2+atb+cr+d=p, (X has p columns), 
a-b-ct+td=-l, (from (15.4)), 

l+a+b=(p-1)/2, (apply Thm. A.20 to the first row), 
atc=(p-1)/2, (apply Thm A.20 to the second row). 


These equations have a unique solution: a=b=d=(p-—3)/4and c=(p+1)/4.We conclude 
that the inner product of two different rows in Mg is (p — 3)/4. 


The Corollary is now a direct consequence of Construction 15.5. 
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Example 15.5 


Take p = 13. The matrix Mg can be made with the Mathematica functions JacobiSymbol, If, and 
Array as follows: 





ae 














So, we have a (11, 2)-visual secret sharing scheme with expansion factor m = 11 and threshold 


values a =(p—-1)/2 p=S5/Iland £ =(3 p-1)/4p =8/11. 
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15.6 Problems 


Problem 15.1” 

Set up a Shamir (5, 3)-threshold scheme for the secret 15 in GF(17). 

Show how participants 1,2 and 3 can recover the secret. 

Show that for participants 1 and 2 together each element in GF(17) is an equally likely candidate for the 
secret. 


Problem 15,2” 

Consider a Shamir (7, 4)-threshold scheme in GF(23), where the participants 1,3,4, and 6 pool their shares 
(1,13), (3, 19), (4, 19), and (6, 6) to retrieve the secret S. What will this secret be? 

Suppose that participant 5 shows his share (5, 3). Why is one of these five people lying? 

Let all also participants | and 8 contribute there share: (2, 4) and (8, 12). Determine the liar and the real 
secret. 


Problem 15.3” 

Construct a (7, 4)-threshold scheme over the finite field GF(16) = GF(2)[a]/(a*+a+1) (see Theorem 
B.15). 

What are the shares of the participants for secret S$ = (1, 0, 1, 1) which stands for the field element a? 
Show in detail how participants 2, 4, 5, 7 recover S. 


Problem 15.4 
Consider the following scheme over 23: 


participant share 
il a, b, C+So 
2 a+ Si, De 
3 b+S1, C-So, d 
4 b, d+S2 


Give the matrix description of this scheme. 

Prove that it is a secret sharing scheme for access structure (U,P,N) with U = (1, 2, 3, 4}, 
P = {{1, 2}, {2, 3}, (3, 1}, (3, 4}} and MN = {{1, 4}, {2, 4}, {3}}. 

What is the information rate of this scheme? Is it perfect? Is it ideal? 


Problem 15.5 

Make a visualization of a set of possible shares for a black pixel in (7, 2)-visual threshold scheme, as 
constructed in Corollary 15.7. 

What is the expansion factor of this scheme and what are its visual threshold values? 
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Appendix A Elementary Number Theory 


A.1 Introduction 


Let N denote the set of natural numbers, Z the set of integers, and R the set of real numbers. 


An integer d divides an integer n, ifn =k d for some k € Z. We shall denote this by d|n. If such 
an integer k does not exist, d does not divide n. This will be denoted by d +n. 


To check if the integer d divides the integer n, the Mathematica function IntegerO can be used 
in the following way. 








ay Paar agen ie ee eee 
1, 3, 41, 123, 137, 411, 5617, 16851) mit Se Pasar - 


bide ao) ee ee a eee Oe ae whines ns ‘ 





An integer p, p > 1, is said to be prime, if 1 and p are its only positive divisors. With p; = 2, 
p2 = 3, pz =S, ... we introduce a natural numbering of the set of prime numbers. 


Valuable Mathematica functions in this context are Prime and PrimeO: 





telling if the input (here 1234567) is prime. 
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There are infinitely many prime numbers. 


Proof: Suppose the contrary. Let pi, p2, .... px be the set of all primes. Next, we observe that the 
integer ([]_, p)) +1 is not divisible by any of the primes pj, po, ..., px. Let n be the smallest 
integer n that is not divisible by any of the primes p), pr2, ..., pg. It can not be a prime number, 
because it 1s not in the list p), po, .... px. It follows that n has a non-trivial factor d. But then this 
factor d 1s divisible by at least of the primes pj, p2, -.., px and so does n. A contradiction. 


0 


Between two consecutive primes there can be an arbitrary large gap of non-prime numbers. For 
example, the n — 1 elements in the sequence n!+2,n!+3,...,n!+n are divisible by respectively 
2, 3, ...,n. Therefore none of them is prime. 


Definition A.1 
Tie Fores sa corals ies lap 06 Bete ee en eae as 


In Mathematica, this function 1s denoted by PrimePi [n]. 





25 


The next theorem [see [HarW45], p.91] , which we shall not prove, tells us something about the 
relative frequency of the prime numbers in N. 


Theorem A.2 The Prime Mustber Theorem 


Littig-ses 8) = 1. 





1.08449 Bek) Soe ae aed to 2 ad ee SES =e ee - 


Two important definitions are those of the greatest common divisor and least common multiple of 
two integers. 


4 re! 


Definition A.2. Ne fo ee 
‘The greatest common divisor of two int gers a and b, nt both equal east 
| uniquely determined, positive Imeger d, satisfying 
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d@ divides both a and b (AT) 
and 

if f divides both a and 4, then f also divides a. (A.2) 
The greatest common divisor of a and & is denoted by gcd(a, 6), of just (a, b). 


Definition A.3 
The Jeast common multiple of two integers a and 4 is the uniquely determined, positive 
| integer vr, satisfying 


mis divisible by both a and 6 (A.3) 
and 
if mis divisible by both a and & then va is a multiple of m. (A4) 


The least common multiple of two integers a and & is denoted by Icm[a, b] or just 
[a, b). 


To show the existence of gcd, we introduce the set 


U ={xatyb|xEeZ, yEeZ, x.aty.b>O}. 


Let m denote the smallest element in U. We shall show that m satisfies (A.1) and (A.2). Clearly, if 
f divides both a and b then f also divides m. So, m does satisfy (A.2). Now, writea=qm+tr, 
O<sr<m (subtract or add m sufficiently often from (resp. to) a until the remainder r lies in 
between O and m-—-1). If #0, then re U (since both a and m are in U). This contradicts the 
assumption on the minimality of m. So, r=0,which means that m divides a. Similarly, m divides 

b. So, m satisfies (A.1) too. 


The uniqueness of gcd(a, b) follows from (A.1) and (A.2). Indeed, if d and d’ both satisfy (A1) 
and (A.2), it follows that d|d' and d'|d. Since both d and d' are positive, it follows that d = d'. 


In a similar way, the existence and uniqueness of Icm[a, b]can be proved. 


Alternative definitions of gcd(a, b) and Icm[a, 5] are: 


- god(a, 6) is the largest integer dividing both a and b 
—dem[a, }) is the smallest positive integer divisible by both @ and b. 4 
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The functions GCD and LCM can be evaluated by Mathematica as follows: 





If two integers have a gcd equal to 1, we say that they are coprime. A consequence of the above is 
the following important theorem. 


Let a and 6 be in &, Then there exist integers uw and v, such that 


gced(a, >) = w.a + vb, 
In particular, if a and } are coprime, there exist integers w and v, such that 


wa+vb = 1, 


The following lemma seems too obvious to need a proof. 


Let d divide a product ab and let the ged of d and a be 1. Then d divides 5. 





Proof: Since gcd(d, a) = 1, Theorem A.3 implies that xd +ya=1,for some integers xand y. 
So, xd b+ yab = b. Since d divides a b, it follows that d also divides xd b+ yab which equals b. 


G 
Corollary A.5 
Let p be prime and let p divide []#., a;, where a; in, 1 si sk. 
Then p divides at least one of the factors a;, 1 sis &. 
Proof: Use Lemma A.4 and induction on k. 
i 


With an induction argument the following theorem can now easily be proved. 
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Any positive integer has a unique factorization of the form 


Tl, Pi's ee PY. 
Let a = []; pi“, e;in N and b = J]; (p;)”, frin N. Then one easily checks that 
ged(a, b) = I], pee 


Icm[a, b] = LI, pe e.,fi} 
gcd(a, b) lem[a, b] = ab. 


347 


(A.5) 
(A.6) 
(A.7) 


The Mathematica expression FactorInteger[n] gives the factorization of an integer n. The 


outcome is a list of pairs. Each pair contains a prime divisor of n and its exponent. 





{{3; 2}. {5.3}, (29, 1}} 


(13, 3), (5, 2}. (7, 1), (19, 19) 
{13,2}, (5. 2}, (19, 1)} 
U3, 3), (5.3), (7, 2), (29, 29) 


True 
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A.2 Euclid's Algorithm 


Let a and b be two positive integers with b = a.Clearly, any divisor of a and b is a divisor of a and 
b-—a and vice versa. So, ged(a, b) = gcd(a, b -— a). Writing b= q.a+r, 0 <r<a, one has for the 
same reason that ged(a, b) = gced(r, a). If r = 0 (and b = q.a), we may conclude that gcd(a, b) = a, 
otherwise we continue in the same way with a and r. So, we write a=g'.rt+r'’, 0 <sr'<r,have 
gcd(a, b) = gcd(r’, r), etc., until one of the arguments indeed divides the other. This algorithm is 
an extremely fast way of computing the gcd of two integers and it is known as Euclid's Algorithm. 


thm A.7 Simple Version of Euclid’s Algorithm 
input a, 6 positive integers 
while b> (Odo begin 
put ras the remainder of the a after division by b. 
(So, writed=g.b+r,0sr< 6.) 
puta=b 
putb=rFr 








{B61, 74} 


{784, 77} 
{77, 14} 
{1l4, 7} 
i7, O} 
If one also wants to find the coefficients u and v satisfying Theorem A.3, this algorithm can be 


adapted as described below. Note that by leaving out the lines involving the integers u; and v;, this 
(extended) algorithm reduces to the simple version above. 
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Algorithm A.& Extended Version of Euclid's Algorithm 
input bra>QO 
initialize ss = 5, =a; 
Wo = Oru) =li va = liv =hn=!1 
while s, >0de begin 
put n=n+ 1; 
write S,-2 = GaSe-) + Sq, 0 3 Sq < Sq-| 
DWE by = Gy Wye) + My2s 
PUel Vy = Qa Me-1 + Mp-2, 
end 
pot a= (-1P av = (-1" v1: 




















ged{a, b) = s,-) = ut +v.b (A.B) 


Again Mathematica knows this extended version of Euclid's Algorithm as a standard function. It is 
called ExtendedGCD. 





{7, {107T, -56}} 


Note that in the example above one indeed has that 


7 = gcd(861,1645) = 107x861 — 56x1645 
Proof of Algorithm A.8: 


First observe that the elements s,, n 21, form a strictly decreasing sequence of non-negative 
integers. So the algorithm will terminate after at most b iterations. Later in this paragraph we shall 
analyze how fast Euclid's Algorithm really is. 


From the recurrence relation s, = S,x-2 — gy s,_1 the algorithm it follows that 


gcd(a, b) = gced(so, 51) = ged(s), $2) = ... = gcd(sp-\, S,) = ged(s,_-1, 0) = Sy-. 
This proves the first equality in (A.8). We shall now prove that for all k, Os k <n, 
(-1)-! uy at+(-1)k yb = sy. 
Note that substitution of k =n — 1 in this relation proves the second equality in (A.8). 


For A = 0 and k = 1 the above relation holds by our choice of the initialization values for uo, uy, Vo 
and v,;. We now proceed by induction. It follows from the recurrence relations in the algorithm and 
from the induction hypothesis, that 
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Sk = Sea — Ga Sk—1 = (CH VY yg a + (=P? vgn BY = ga {(— I? gy a + (= 1! vy BY = 


1" (hes + gp U-|)at (—1)* (422 + Gk VYy-1) b= (-1)*-! yp a + (— 1) vy B. 


! 
LJ 


Of course there is no need to keep all the previously calculated values of s,, u, and vz stored in the 
program. Only the last two of each together with gx will suffice. The reason for introducing them 
in the algorithm was only to facilitate the readability of the proof above. 


With the Mathematica functions While, Floor and Print, the above algorithm runs like this: 





lxl=x861 + -1~0«1645=861 


-1lx1x861 + 1x1=1645=784 
Ix2e861 + -1x1x1645=77 

-1x21x861 + 1x11x1645=14 
1x107x861 + -1«56«1645=7 


We would like to conclude this section by saying something about the complexity of Euclid's 
Algorithm. It may be clear that this algorithm is at it slowest if at each step the quotient g;, has 
value | (if possible). This is the case if sy-2 = Sy_) + 5, forall 2<k <n-—1land that S,-2 =25,_1, 
S, =. In other words, the smallest value of b (and arbitrary 0 < a < b)such that the evaluation of 
gcd(a, b) takes n-1 steps is given by b=F, and a=F,_1, where the {F;};.9 sequence is the 
famous sequence of Fibonacci numbers defined by Fo = 0, Fy = 1, Fis2 = Fis) + F; for i = 0. 


By letting Mathematica operate repeatedly on a list of two consecutive Fibonnacci numbers (the 
function Nest is used for this), one gets the following method to evaluate these numbers (in the 





example F'j99 and Fo) are computed): 
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(354224848179261915075, 573147844013817084101} 


This could also have been done directly with the function Fibonacci. 


Faas 


=) }; J are | nt = ’ 
lt ; i ” 
1 ORE > ats ar = 7 *) 
f". 4 ne r — =ps bg 
= i - 
| a 5 
Hi 2 : 3 ee 7 jaw, 
« a a . 7 . rt Le + 
| a = whe 5 dh coe! eel A "pt "i 
as r? te Se ‘= bo ee 
= = ks as 





S542246848179261915075 


The reader may check the above analysis in the following way. 





(Iyty Be 9, 4): 50-6, 7, 8, 9,00, 11, 12,°13)14, 15.-16)47, 18, 
19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34," 
35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 
51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 
67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 61, 82, 
83, 84, 85, 66, 87, 88, 89, 90, 91, 92, 93, 94, 95, 96, 97, 98} 


Note that the GCDiterations algorithm above does not affect the values of a and b (contrary to our 
implementation of the simple version of Euclid's algorithm). It also makes use of the Mathematica 
function Mod that will be discussed in the next section. 


352 APPENDICES 


Plugging in F, =c f” in the defining recurrence relation of the Fibonacci numbers, so in 
F,,2 = Fj,; + F;, leads to the quadratic equation f* = f +1, which has as zero's: Lev . Without 
proof we state the following upperbound on the complexity of Euclid's Algorithm. The reader may 


prove it with induction on b (distinguish the cases a < 7 and 7 <as<b). 





Theorem A.9 Complexity of Euclid’s Algonthm 
Let a and b be positive integers, b = a, b + 1, and let f = 1+¥* . Then the number of 
iterations, that Euclid’s Algorithm will need to compute ged(a, 5) is at most log ; b. 





AAs it r i 
= ae ee ; 4 


toe. my aie 


a = I rae at : F j oe ws a ails a: 4 ms = Bags i. 
i 36 tat aay - ee ee TT Ba ae Ba kL) Sim ga Lf? 3 ad ea ei ier fot +i, 
SL ee eR te a SP a ae? SA ae ey epee = ae | eee 


A.3 Congruences, Fermat, Euler, Chinese Remainder Theorem 


A.3.1 seca ena 





Fra CK ir aes ee eee eee peat Laat , ce ara 

‘ir A a alae can ifference © 
brn Zia js dene see bes one 2 - ne sae) ee : 

‘ a ’ ee ceed mie ge ca ee 


sd 


The Mathematica function Mod{a,m] gives the unique integer r, O< r<m, such that 
a=r(modm). 





ae Min 2 cast Peet he eae a ere ee ie. er, = oe 
i’ SS lee ee, ee See 


= pth! 
aa 


pe ie ther i +e i tL BE Cheers rte el. Ore eee pte x eka r. 

c ap ts Pt “th eee ae rat ie el ae r le at as re Pe oe pune 
ris r. i “ia pang rite era his eee Via mos. ta ej ; de irk t. me it roe =F cs Er tad 7 nee 

hoi ep Pe hes ne ae oe ni St) ieee aor Poa Bee je ah Bur 


An easy test if the integers a and b are congruent of each other modulo m is given by the following 
example: 
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5 4 eg ‘ 
baal : ee, 
hy ; =. 
ae ? = oe el _ e 
1 fi peel i i 





prereset s 2 be calieda ' nealdie tyatiai moda Weal 


| caneegee 4 is omaraen ae vemos ge fine elements a,, I = ism, me dulo m. 








The most commonly used complete residue systems modulo m are the sets {0, 1, ...,m — 1} and 


{1, 2, ...,m — 1}. With the Mathematica functions Range and Table one can generate these 
systems. 





f0.°1; 2) 3. 4; 3: 6,:7, 8; 9} 


Clearly the m integers a;, 1 < i < m, form a complete residue system modulo m if and only if for 
each pair 1 < i, j s m one has that 


a;=a;(modm) = i=j (A.9) 


The congruence relation = modulo defines an equivalence relation (see Definition B.5 ) on Z. A 
complete residue system is just a set of representatives of the m equivalence classes. 


| Lemma A.10 
Letka = & (mod m) and gedik, m) = d. Then 
a2 6 (mod w/a). 
Proof: Write k = k'd and m = m'd with ged(k', m') = |. It follows from ka-kb=xm, for some 


xeZ, that k'(a~—b)=xm'. Since gcd(m', k') = 1, it follows from Lemma A.4 that m'| (a —- 5), 
i.e.a = b(modm’). 





Let dj, 2, ..-. de be a complete residue system modulo m and let ged(k, m) = 1. 
Then ka, Fags ..-) kam 15 also a complete residue system modulo m. 


Proof: We use criterion (A.9). By Lemma A. 10, k a; =k aj (mod m) impliesthat a; = a; (mod m). 
This in turn implies that ¢ = j. 
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A.3.2 Euler and Fermat 


Often we shall only be interested in representatives of those residue classes modulo m, whose 
elements have coprime with m. The number of these classes is denoted by the following function. 


Definition A.6 
The Euler's Totient Function @(see Euler) is defined by 
fm) = |{Ost<m | gedti, m) = 1). 


| In words, @(m) is the number of integers in between 0 and mm — | that are coprime with 
Ft, 





hb 
In Mathematica, this function can be evaluated with the EulerPhi [n]function. For instance 


a a a 


m=15; EulerPhi([m] ! | 





4 


corresponding to the eight elements: 1, 2, ,4, 7, 8, 11, 13, and 14. Later on in this section, we see 
how the function @{m) can be efficiently computed. 


Theorem A.12 
For all positive integers m 


didi yd) = m. 


It is quite easy to see in an example which of the m integers in between | and m are contributing 
to which term @(d) with d|m. When m = 15, we have the divisors 1, 3, 5 and 15 of m. The eight 
elements 1, 2, ,4, 7, 8, 11, 13, 14 all have gcd 1 with 15 (note that (15) = 8) , the four ( = ¢(5)) 
elements 3, 6, 9, 12 have gcd = 3 with 15, the two ( = ¢(3))elements 5, 10 have gcd = 51nd the 
single (= @(1)) element 0 has ged = 15. 


Proof of Theorem A.12: 


Let d divide m. By writing r=id one sees immediately that the number of elements 7, Os r<m, 


‘nt 


with gcd(r,m) =d is equal to the number of integers 7 with Osi< 7 and gcd(i, 7)= i 


ftt 


therefore, this number is b(—). 


On the other hand, gcd(r, m) divides n for each integer r, Os r < m. It follows that say, o(—) = mM. 


This statement is equivalent to what needs to be proved. 
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The following non-standard Mathematica statement evaluates sums of function values f[d] over 
all divisors d of a given integer m. 









hag 


Definition A.7 

A set of O(m) integers rj, rz, .... Foimy is Called a reduced residue system modulo m if 
each integer f with ged{ j, ot) = 1, is congruent to (exactly) one of the elements rj, 
leis dim). 





A reduced residue system can be quite easily generated by means of the following newly defined 
functions. 





aL SE pike comaaiabel 


Analogously to Lemma A. 11 one has the following lemma. 
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| Lemma A.13 
Let rj, fa, ..6s fam be a reduced residue system modulo m and let gedia, m) = 1. 
Then ar), aro, ..., @ fgg) 18 also a reduced residue system modulo m. 


With the above lemma one can easily prove that the classes in a reduced residue system form a 
multiplicative group (see Subsection B.1.1). 


Theorem A.14 (see Euler) 
Let 2 and mt be two integers that are copnme. Then 


are" = 1 (mod en). 


It is quite easy to check this theorem in concrete cases. 


—+ 


m2 123457 a= 11111; GCD[m, a] 
- EulerPhi[m] 
Mod[a*EulerPhi[m], m] 





es eee ee i SS 


Exponentiations modulo some integer can be performed much faster in Mathematica with the 


PowerMod_ |[a, b, m| function, which reduces all intermediate results in the computation of a 
modulo m.: 





m = 123456789; a= 1111111111; GcD[m, a] 
PowerMod[a, EulerPhi[m], m] 


aicenemeemieninamel 
ee se 





Proof: Let r), ro, ..., gum) be a reduced residue system modulo m. By Lemma A. 13 


(m1) O(n) $ (in) 
. (ar,) atm [|r (mod 77). 


t=] =| i=! 
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Since each factor 7; is coprime with m, one can divide both hands by se bor r; by Lemma A. 10. 
This results in 1= a®” (mod m). 


Let p be a prime number. Since every integer 1, 1 < i< p,is coprime with p, it follows that 
¢(p) = p- 1. Euler's Theorem implies the next theorem for all values of a except for a's that are a 
multiple of p. For these values, the statement in the next theorem is trivially satisfied. 


Theorem A.15 Fermat's Litthe Theorem 
Let p be a pnime number and let @ be any integer. Then 


a” = a(mod p). 


This can easily be checked in individual cases with the Mathematica function PowerMod. 


p= 98947; a= 12345; PrimeQ[p] 





_PowerMod [a, P, Pi == a 


True 


As we have just observed, ¢(p) = p—1 for prime. Because exactly one of every p consecutive 
integers is divisible by p, we have the following stronger result: 


| 1: 
d(p") = p® - (p'/ p) = p'(p- 1) = p*{1- a): (A.10) 


Definition A.8 
A function ( : M—+P¥ is said to be multiplicarive, if for every pair of positive integers m 
and # 





ecdim, an) = 1 => ft) = fm) (nm). 


Lemma A.16 
Euler's Totient function @(m) is multiplicative, 


Proof: Let m and n be coprime and let @, @2, ..., @gymand by, bo, ..., beny be reduced residue 
systems modulo m resp. n. It suffices to show that the ¢(m) (n) integers n.a; +m.b;, 1 <i < O(n) 
and | < /< (n), form a reduced residue system modulo mn. It is quite easy to check that the 
integers n.a;+m.b;,1<i<d(m)and | < j < P(n), are all distinct modulo mn and that they are 

coprime with mn. (Use Lemma A. 15 and formula (A.9)). 
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It remains to verify that any integer k with gced(k, m.n) = 1,is congruent to n.a; +m.b; modulo mn 
forsome 1 <i < ¢(m) and 1 < / ¥ @(n). 


From Lemma A. 13 we know that integers 7 and j, | sis ¢(m) and | < j < (1), exist for which 


K=na,(modm) and k=b;(modn). 


This implies that both m and n divide k —n.a;—m.b,.Since ged(m, n) = 1, it follows from (A.4) 
and (A.7), that also m.n divides k — n.a; — m.b;. 


(om) = m Tp grin, iw (1 — 5} 


| Theorem A.17 
P 


Proof: Combine (A. 10) and Lemma A. 16. 


In Section A.5 we shall see how a direct counting argument also proves Theorem A. 17. 


With the Mathematica functions Lengthand EulerPhi and the function CoPrimes (which 
makes use of CoPrimeQ) defined above one can check Theorem A. 17 as follows: 
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| i t 7 2. oe ee, ad Li : i. : wee. md a : SS lay as 1 i a Be Salles 
ak er eet eee el ihe A | te EY am 
Dee a ae ee ce fe he Swat =. ee ae 

= mh, Se, b r 
F p=’, < a aan! an Z 


A.3.3 Solving Linear Congruence Relations 


The simplest congruence relation, that one may have to solve, is the single, linear congruence 
relation 


ax = b(mod at) (A.11) 


The linear congruence relation ax = 6 (mod m) has a solution x if and only if ged(a, mt) 
divides hy. 
In this case the number of diff 





erent solutions modulo m is gcd(a, mm). 
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Proof: That gcd(a, m)/b is a necessary condition for (A.11) to have a solution x is trivial. We 
shall now prove that it is also a sufficient condition. 


Let d = gcd(a, m) and write a=a'd, m=m'd and b=b'd, where gcd(a', m') = 1. By Lemma 
A. 11, the congruence relation a'x = b'(modm') has a unique solution x'modulo m'. Clearly, a 
solution x of ux = b(modm) satisfies x = x'(modm’'). So, each solution x modulo m can be 
writtenas x'+im', O<i<d. Writea'x'=b'+um',ueZ. Then for each O<i<d, 


aix'+im)=da'x'+ida'm'=dh't+udm'+ia'm=bt+(utia')m. 
Hence, the numbers x'+im', 0 <1<d, represent all the solutions modulo m of ax = b (mod m). 


as 


The solution of ax = b(modm), gcd(a, m) = 1, can easily be found with the extended version of 
Euclid's Algorithm. Indeed, from ua+yvm = 1 (see Theorem A.3), it follows that ua = l(mod m). 
So, the solution x is given by bu (modm). If gcd(a, m) = 1, one often writes a~! for the unique 
element u satisfying «a = 1 (mod m). 


Example A.1 (Method 1) 
To solve 14 x = 26 (mod 34), we note that gcd(14, 34) = 2,which indeed divides 26. 


We first solve 7 x' = 13(mod 17). With the extended version of Euclid's Algorithm we find 
5-7 +(-2)17 = gcd(7, 17) = 1.So, 7-5 = 1(mod 17) and x'can be computedfrom 
x' =77! 13 =5-13 = 14(mod 17). 


By the theorem above, 14 x = 26 (mod 34)has the numbers 14 and 14+17=31as solutions modulo 34. 





(2, (5, -2)) 


14 


Example A.2 (Method 2) 


To solve 123456789 x = 135798642 (mod 179424673), we first check if gcd( 123456789, 179424673) 
divides 135798642. Next, we compute 123456789~! mod 179424673 and then compute 
123456789! - 135798642 which gives 21562478 as solution . 


Instead of using Euclid's Algorithm to compute 123456789-! mod 179424673, we can also use 
Eider's Theorem. Indeed, a#") = 1(modm) implies that aa®™~! =1(modm) and thus that 
a7! =a%")-! (mod m). 
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172609538 


So, the number 172609538 is the multiplicative inverse of 123456789 modulo 179424673. The 
solution x of the congruence relation 123456789 x = 135798642 (mod 179424673) is given by: 


a a oil rk 3 


2 F _ a A i in = Pi . = ts F n oats j zs i yf = ‘ 

i- i wy phe a * ala eee et ae 5 

fie —_ Jae foe Pole = perk oo a ae | 
D t >  @ ; Yo | “= hg i ' i 
i i i i 1 i. oat . -_ & or er rl J 
F a E ee ie BL | il i j = E a ie i 

hI a, i os oy ag 2 Ln = 3 = Ee ts * bat 
pone eee te ie. ee ee peat Se ciate at PAT is te a a, A 






21562478 


We can check this: 





--435798642 oid a3 


i 


The Mathematica function PowerMod computes the multiplicative inverse of a number very 


efficiently in the following way: 


Day % 7 





| ee Se ea 
' PowerMod (123456789, 
172609538 


The Mathematica function Solve gives all the solutions of the congruence relation 


ax = b(mod mm), if they do exist. 





{{Modulus +16, x+2), {Modulus+16, x+6}, 
{Modulus +16, x+10}, {Modulus +16, x- 14}} 


To get only the solutions, one can execute 
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Ling rs ah iF oir a ar ie ae 
= =A 





7 Ae - 1 - uf: 1 Te ieee — ei a Le; ‘ha a ~ 
F ; = 4 Se ie ee aie 
ie ra q re 14) r oes a. = canter . i as “toa pales t ni rts ; ti. . un, 
te ry ee 2 " hy a = Cy i Fatt a acne A my | 
co Pr ie ea Vel Si is = ‘Ce a a? x ord ed a 





A.3.4 The Chinese Remainder Theorem 


We shall now discuss the case that x has to satisfy several, linear congruence relations 
simultaneously, say a; x = b;(modm;) with gcdia;, m;)|b; for 1 <i<k. Dividing the i-th relation 
by dj = gcd(a;, mj), 1 < i<k, one gets as before the congruence relation a;‘'x' = b;‘(modm'), with 
gcd(a;, m;) = 1. By the proof of Theorem A. 18, a solution of this congruence relation is equivalent 

to a solution of one of the d congruence relations a;'x = b;'+ jm,;' (mod m,), 0 s j < d. In view of 
this, we restrict our attention to the case that gedia;, m;) = 1 for alli, 1 si<k. 


Theorem A.19 The Chinese Remainder Theorem 
| Let m;, 1 i= k, be k pairwise coprime integers. Further, let aj, 1 < isk, be integers — 
| with gedia;, m,) = 1. Then the system of k simultaneous congruence relations 











ution modulo TT, my for all possible k-tuples of integers b), by, ..., Bg. 





= 


Proof: Suppose that x' and x'' both form a solution. Then a; (x'- x'')=0O(mod m,), 1 <i< k. By 
Lemma A.4, m; divides x'-x''for all 1<i<k. It follows that x'=x''(mod [J], m,). Hence, if 
the k congruence relations have a simultaneous solution, it will be unique modulo JJ‘, mj. 

On the other hand, since there are as many different values for x modulo Tk, m; as there are 


possible k-tuples of reduced right hand sides b), b2,..., 6, there must be a one-to-one 
correspondence between them. 
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The proof above does not give an efficient algorithm to determine the solution of (A. 12). We shall 
now explain how this can be done. 


Let 1 <i<k and let u; be the unique solution modulo []‘_, m; of 
aj u, = 1{modm,), (A.13) 
a,u, = 0(modm;), lsjxk, J #i. (A.14) 


With Euclid'’s Algorithm 4; 1s easy to determine. Indeed from (A.14) it follows that u;is a multiple 
of mdefined by T];;4; mj, say uj =rm” for some O<r<m;.The value of r follows from 
(A. 13). Indeed, ris the solution of a; rm = 1 (mod m,). Hence 


u, = {(a, my! (mod m;)} mo: 
The numbers u;, | < i < k,can be stored using at most k log, m bits of memory space. 
The solution of (A.12) is now given by 

x=u, db, + U7 by +... Huy dy. 


Example A.3 


To solve 


3.x = 7 (mod 11) 2x = 9(mod 13) 12x = 5(mod 17) 


we rewrite these congruences as 


x=3°'-7(mod11) 2x=27!'-9(mod13) x = 127!'-5(mod 17) 


which reduces to 


x = 4-7(mod 1!1) x =7- 9(mod 13) x = 10-5 (mod 17) 


x = 6(mod 11) x = 11 (mod 13) x = 16(mod 17). 


Next we compute the solutions of 


u, = 1 (mod 11) u, = 0(mod 13) u,; = 0(mod 17) 
u > = 0(mod 11) uy = | (mod 13) uy = 0(mod 17) 
u3 = 0(mod 11) u3 = 0(mod 13) u3 = | (mod 17). 


Writing u; =1,-13-17, uz =lp-11-17, uz =1;3-11-13, we find with Theorem A. 18, (or the 
Solve function) that and thus that 1, =1(mod 11), l, =8(mod 13), 1; =5(mod 17) 
uy; = 221 (mod 11-13-17), ua = 1496 (mod 11-13-17), uz; = 715 (mod 11-13-17). 


We conclude that x = 6-221 +11 +1496 +16 -715 = 50 (mod 11-13-17). 
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To solve congruence relations x; = b; (mod m;), 1 <i < k, with all the m,’s mutually prime with the 
Chinese Remainder Theorem with Mathematica, we first read the package 


NumberTheory ~NumberTheoryFunctions~ 





Such a system can now’ be _— solved’ with the Mathematica function 
ChineseRemainderTheorem that is available in the above package. We demonstrate this by 
determining 4, u2, and uz in the above example. 
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149 Me ‘zt ee hegige oad hy eek oe af ea ‘ a) a pond Page ie 8 ee 
a oe eee p Rap =e : 4 : ; : a aie aa at 5 5 er 
ze = ae co a et Bel: 
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2 T a 5 
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When considering the system of congruence relations a; x; = b;(modm,), 1 <i<k,where the m,'s 
are relatively prime and where gcdia;, m;)= 1 for 1 <i<k, it is quite easy for Mathematica to 
reduce this system to the equivalent system x; = a;! bj (mod mj), 1 <i<k, which can be solved 
with the Chinese Remainder Theorem function. We use the functions PowerMod and Mod for this 
reduction. They operate equally well on vectors (coordinatewise) as on numbers. 


We demonstrate this with the parameters of the example above. 
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A.4 Quadratic Residues 


Let p be an odd prime. The quadratic congruence relation ax*+bx+c=0(mod p), 
a #0Q(mod p), can be simplified by dividing the congruence relation by a followed by the 
substitution x—+x-—b/(2a). In this way, ax-+bx+c=0(mod p) reduces to a quadratic 
congruence relation of the type: 





x =u (mod p) (A.15) 
| Definition A.9 < 

Ae eee Pe caevadd an ida prides! p. Then «i called a quadratic 

| quadrati pi detanep (NOR), if 








Definition A.10 
Let p be an odd prime and wu an integer. The Legendre symbol (© jis defined by 
j+l if wis a quadratic residue mod p, 
(<)=: =i —1 if wis a quadratic nonresidue mod p, 
0 if pdivides u. 
If there is no confusion about the actual choice of the prime number p, one often write 
4{u) instead of (“), 





The Legendre symbol is a special case of the following function. 


Yay 





| Definition A.11 
) Let m = 01, (p))" be an odd integer and let w be an integer with ged(u, At) = 1. 
Then the Jacobi sy nbal (—-) is defined by | 





(2)=n(2)" 


where (£) denotes the Legendre symbol. 





The Jacobi symbol (and a fortiori the Legendre symbol) can be evaluated with the standard 
Mathematica function Jacobi Symbol [u, m]. So, we can check if 12 is a quadratic residue 
modulo 13 (indeed 5? = 12 (mod 13)) by means of the Jacobi Symbol[12, 13] which should give 
value |. 





We want to derive some properties of the Legendre symbol. 


Let a* = u(mod p). Then, also (p — a)* = u(mod p). The polynomial x? — u has at most two zeros 
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in GF(p) (see Theorem B.15), so modulo p there can not be more than two different solutions to 
x’ =u(mod p). It follows that the quadratic residues modulo p are given by the integers 


? (mod p), 1 sis ©, 


or, alternatively, by the integers (p — i)* (mod p), 1 sis ae We conclude that there are exactly 
ce QR's and 4+ NQR's. This proves the first of the following two theorems. 


Theorem A.20 


Lot p be an odd prions, Then, exactly 4 of the integers 0, 1, . .. P — | are quadratic 
esidue and are quadratic non-residve. In formule 





rr xu) = 0. 


The reader can check the above theorem in concrete examples by means of the following two 
Mathematica functions. 





ive ES uk “er ® em me “yy ia - a ee + er . ee ee eb on a eee 
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Theorem A.21 
Let p be an odd prime. Then for all integers w and v 


Ao) = y(u) ety). 
Proof: This theorem will be a trivial consequence of Theorem A.23 later on. We shall present here 
a more elementary proof. 


If p divides u or v the assertion is trivial, because both hands are equal to zero. The proof in case 
that p does not divide u or v is split up in three cases. 


Case _1: u and v are both QR. 
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Then w=a>(mod p) and v=h*(modp), for some integers a and b. It follows that 
u.v = (a.b)* (mod p). So u.v is QR. 


Case 2: Exactly one of u and v is QR, say u is QR and v is NQR. 


Suppose that also u.v is QR. Then there exist integers a and b such that u =a*(mod p) and 
u.v = b* (mod p). Since a # 0(mod p), it follows that v = (b/ a)" (mod p). A contradiction! 


Case 3: Both u and v are NQR. 


From Lemma A.11 we know thati-u, i=1,2,..., p—1. runs through all non-zero elements 
modulo p. For the i values of i for which 7 is QR, we have by Case 2 that iu is NQR. So, for 
the — values of 7 for which 7 is NQR, it follows that i.u is QR. So u.v is QR. 


OG 


Although the next theorem will never be used in this textbook, we do mention it, because it is 
often needed in related areas in Discrete Mathematics. 


Theorem A.22 
Let p be an odd prime. Then, for every integer v 


paki E pI, if pdivides rv, 
Jano XCM) ¥( +) = | 


i §! 


—], otherwise, 


Proof: If p divides v, the statement is trivial. When p does not divide v, one has by Theorem A.21 
and Theorem A.20 that 


who XC) et v) = DP tw) et) = DPE ) xO YC + v/s) = 
PoE + 0/4) = Dogs XO) = 1 + TP7G X0w) = =I 


eS 


Let u be QR, say u =a’ (mod p). By Format's Theorem ut saat (mod p). So, the pat 


QR's are zero of the polynomial xr — 1 over GF(p). Since a polynomial of degree 2 over 
GF(p) has at most pot different zeros in GF(p) (see Theorem B. 15), one has in GF(p): 
x(p-Die -l= TTuisor (x = u). (A.16) 


om . . . =i 2 
It also follows that u*Z # 1, if wu is NQR. Since (uz) = 1(mod p) by Fermat's Theorem and 
-1 
since y* = 1(mod p) has only 1 and -1 as roots, it follows that u°? =I (mod p), if u is NQR. 
This proves the following theorem for all u coprime with p. For p|u the theorem is trivially true. 


Theorem A.?4 
Let p be an odd prime. Then for all integers w, 


| ui | 
| 


a ple ' 
>a (mod p). 
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fe re odd prime. Then 
(=1)=(7 if p= 1 (mmo 4), 
ip Lad, if p= 3 (mod 4). 


Proof: (- 1)’ = 1 ifand only if p = 1 (mod 4). 


Another value of the Legendre symbol that we shall need later on is (-). 
Let p be an odd prime. Then 


(jel if p= +1 (mod 8), 
pil, if pe +3 (mod 8). 





Proof: 
Td k= Mh x k) = (ni en).(n, wat 2h] = 


pol pol y-1 1 
(-1)°r Lae ens ‘24911 Ty (p-2h0) = (-1)r “Ur. (es ? k} mod p) 
kata] 
fle 
Dividing both hands in the above relation by [[,=, k yields 


oe = (1) -|F| (mod p). 


The assertion now follows from Theorem A.23. 


We recall the definition of the Jacobi symbol in terms of the Legendre symbol 


(—) L(Y where m = | |, pi". (A.17) 


é 
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| Let m and n be odd integers. Then the following relations hold for the Jacobi symbol 


iy oS) (=), 

i * Y) (SHS) 

i) ()=(4)(4) 

iv) (<1) =1 if'and only if m = 1 (mod 4), 


v) (=) = 1 if and only if m = +1 (mod 8). 





Proof: The first two relations hold for the Legendre symbol and, by (A.17), also for the Jacobi 
symbol. The third relation is a direct consequence of (A.17). 


To see that the fourth relation is a direct consequence of (A. 17) and Corollary A.24, it suffices to 
observe that a product of an odd number of integers, each congruent to 3 modulo 4, is also 
congruent to 3 modulo 4, while for an even number the product will be | modulo 4. The proof of 
the last relation goes analogously (now use Theorem A.25). 


One more relation is needed to be able to compute (—) fast. We shall not give its proof, because 


the theory goes beyond the scope of this book. The interested reader is referred to Theorem 99 in 
[HarW45] or Theorem 7.2.1 in [Shap83]. 


Theorem A.27 (Quadratic Reciprocity Law by Gauss) 
Let mand mn be odd coprime integers. Then | 
(Mm iB et) 
aps el 


With the relations in Theorem A.25, Theorem A.26, and Theorem A.27 one can evaluate the 
Jacobi symbol very quickly. 


Example A.4 


A.27 A.26i) A.26 ii) A.26v) &A.27 
(Gear)! = Gara =" (i303) = (sa503) (Gams) = 


12703 








= (Bian) OEY (stag) Aa? (sige) AB (toe) 2" Say (S) 


~ ("7829 1829) — \ 7729 1729 1729 1729 


27 A.261) A.26ii) 
= (f5) “2 (4B) UE" (BOE (BY = 


It should be easy for the reader to verify that the above method has roughly the same complexity as 
Euclid's Algorithm. 
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12703 


Of course we could have evaluated (sa5 


) directly with Mathematica, as we have seen before. 





A.5 Continued Fractions 


Quite often one wants to approximate a real number by means of a rational number. For instance, 
many people use 22/7 as an approximation of 7. A better approximation of 7 1s already given by 
333/106 and again better is 355/113. One has to increase the denominator to 33102 to get the next 
improvement. 
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It is the theory of continued fractions that explains how to get such good approximations. 
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Clearly, each finite continued fraction represents a rational number. One can find it by simplifying 


the continued fraction step by step, starting with a,_) + —— = “t@mtén) —1 = __4m ___ 
am Am dm-1+q— Am-| am tA 
etc. 


In Mathematica this can be achieved with the function Normal. 
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We shall now show that the opposite is also true: each rational number has a finite continued 
fraction. 





Proof: Let a/b, b> 0, represent a rational number. We apply the simple version of Euclid's 
Algorithm (Alg. A.7) to the pair (a, b), so we put sy=a, s; = b,and compute recursively 
Sj = Gi Sis) + Si42, With O < S42 < 5j41, UNH] 8,42 =O (and thus Sm = Gm 5,41) for some integer m. 
Then 
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We conclude that a/b has [go, q1. -.-, Gm] aS continued fraction. 
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It is important to observe that the representation of a rational number as a finite simple continued 
fraction, where all the q;'s (= 1) are positive, is not completely unique. Although the manner in 
which the g;’ s are calculated with the simple version of Euclid's Algorithm (see proof above) 
gives a unique value of the q;'s, it is clear that in the last step we have gm = 2,SINCE Sin4) < Sip. 


As the last term in the expansion is a positive integer, and not equal to one, we can therefore 
rewrite the last term as follows: 


|e 


This shows that [go, 41, ---, Gm] has the same value as [qo, G1... Gm — |, 1). 
The last term in a continued fraction can be chosen in such a way as to make the number of terms 


in the expansion either even or odd, if that would be convenient. 


Formula (A. 18) suggests the following way of computing a continued fraction of anumber a. 


r 


Algorithm A.29 
The continued fraction of a number @ can be co 





dig = a 

aj = |a,] and 

On, =1/{a;-—a). foriz 0, 
[ap, 2), 2, ...). 





Example A.5 
Consider a = 11/9. Then we get 








Se ee eg eee “Sigel a ae art | ae ait ro 
ey : eT Tha Bhai mee J ai bee er "in 
ae a: is ee mi, iS ie ae Bi ee 
Sd Oe ie eo ae oe ni 








We continue with 
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Power: :infy : Infinite expression - encountered. 


We conclude that @2 = az and thus that the continued fraction is given by [|], 4, 2]. We can check 
this quite easily: 





To let Mathematica compute the continued fraction of a number, first the package 


NumberTheory'!ContinuedFractions has to be loaded. 





To find the continued fraction of a rational number, one can use _ the _ function 


ContinuedFraction. 
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If@ is not rational, one has to include the number of terms that one wants to see. 
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To express such a continued fraction as a regular fraction, one can use the Mathematica function 
Normal again. 





a2729434 
1360120 


If a continued fraction is given in the form [ag, a), ..., a], one gets the regular continued fraction 
by means of the function ContinuedFractionForm. The reader should know that in 
Mathematica the numbering of the indices starts with 1, 2, etc. 








To obtain the continued fraction of a number a in the form [ao, a, ..., am], one can just appends 
[[ 1 ]] to the function ContinuedFraction[a, n]. 


2 *. a 
ich. = 


0 ntin uedFrac tion [Pi 
i . 


fi 





(3,-7,,15, 1, 292;°1,°1,:1,.2, 1} 





The kt conbersent Ch of a cominued fraction [aq, 4), ..-. dnl, OS K < m, is defined by 
[ag, 21, .... ag). 


These convergents can be quite easily evaluated with the functions Table, Normal, Take, 





ContinuedFractionForm. and Length. 
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fies ses. BSS) 103999. sete as he See ge ol act 
pA Pe AOG 118 33102. SS eae Meremige sear? 


Each convergent, being a rational number, can be written as p,/q,.The values of pxand gq, can be 
found with the Mathematica functions Numerator and Denominator 





eds es oo 
103993 
33102 
703993. vir 
pomes0g See ash > sani oc 


The next theorem gives a nice relation between a continued fraction and its convergents. To be 
able to shorten the proof, we shall relax our usual restriction of the integrality of the a;'s. 


Let fa;}j.9 be a finite or infinite sequence of reals, all positive with the possible 
exception of ag. Es 

Let Cy = pe/ qe be defined by [ap, a), ..., ay] a5 in (A.18). Then, the numbers p, and q, 
satisfy the recurrence relation 


Po = a, Pl = 48; +1, 

qo = L, qi =|, 

Pe = Oy Pe-i + Pe-2, KE 2, 

Ge = dy Qe-) + Gb-2 kz. 


Proof: The proof is by induction on k. 

For k = 0, we have = Cy = ay = +4, so indeed po = ag and qy = 1. 

Fork = 1, we have ae = C, =|ag, a)) =ag+ _ = “a4* 80 indeed p, = aya, + land g; =a). 
] 


Assume that the theorem has been proved up to a certain value of k. So, 


= — PR _— he PE-1tPE-2 
C; ~~ [ao, aj, sae ay | — me . 
Gk hk GE | +GR 2 
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Now substitute a > a, +1/ax4; above. Then 


def. Def A 12 1 
Cyst = [ao, Athy .--s ak, aril = a, a), ed: | ak + | 





last 


| 
induct. lata } Pai + Pa-2 _ Gp lag Ph-1t Pe-2)+ PK} 


(a+z- )ae—ttue—2 Uys Gy I 1 t9K -2)tdK- | 





reerel apy) PEt PR-1 POCO pea 


O41 4kTdK- dhe 
m 
A small result, that we need later, is the inequality 
qx 2 Fy, (A.19) 


where Fy is the k-th Fibonnaci number, defined by Fo =0, Fi = 1, and the recurrence relation 
Fy = Fy_| + Fy_a, k 2 2. The inequality gq, = F;, follows with an easy induction argument from 
go>0, g, 21, and the recurrence relation gg = 4g Qx-1 + Gge-2_ IN Which a,2=I1 (use 
Gk = Qk-1 + Gk-2). 


Lemma A.31 
Let Cy = py qe be the k-th convergent of a continued fraction. Then 


Pe Ge-1 — Pe- qe = (-1 


Proof: The proof is again by induction on k. For k=1 we have by Theorem A.30 that 
Pi go - Pod =(aoa, + 1)X1-ayxa, = 1. 


To prove the step from k to k + 1 we use the recurrence relation in Theorem A.30: 


Thm. A .30 
Pktt Uk — Pk Wks = (deat Pe + Pe-1) Ge — PrlGesr Ge + Gk-1) = 


Pik — Pega = (-D(- DE! = 





oO 
Corollary A.32 
Let Cy = py / gy be the £-th convergent of a continued fraction. Then 
ged(m, qu) = 1, 
Proof: This is an immediate consequence of px—1 Gx — Pk Gx-1 = (—1)*"!. Indeed, each number 


dividing px and g, must also divide —1. 
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Theorem A.33 
Let Cy, = peg, be the k-th convergent of a finite or infinite continued fraction 
[ap, i, .--]. Then 
Sei 
C, — Cy.) = mE kz 1, CA) 
OG = aCe. kz? (A21) 
b= 
Coc, cy << Cy Cy < C). (A.22) 


For an infinite continued fraction, the strictly increasing bounded sequence of the even 
convergents has the same limit as the strictly decreasing bounded sequence of the odd 
convergents. 





Proof: By Lemma A.31 and Theorem A.30 


Cy — Cy} 


CG -ias 


| 





a iy Py Li 271 My re i | = mt-IF 
Hi Yi qh=2 Yk 


This proves (A.20) and (A.21). That the even convergents form a strictly increasing sequence 
follows from (A.21), which implies that Co, — C2,%-2 > O (the a;'s are positive). For the same 
reason, the odd convergents are strictly decreasing. 


To show that each even convergent, say C2;, is less that any odd convergent, say C2 j41, we first 
observe that C244) — Cox > Oby (A.20). We combine this with the above to get 


Cai < Carina < Crin2 jar < Coy. 
Finally, by (A. 19) and (A.20), for k = 2 
ca ee edt 
(1) — Cel = 4k-1 4k = Fy Fy - (k-1)- 


thus, the difference between two consecutive convergents tends to zero as k tends to infinity. This 
shows that the limit of the even convergents must be the same as the limit of the odd convergents. 
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Example A.6 


Below we have listed thefirst 10 convergents of # in their natural ordering. 





3. L41509433962204 
3. L41592653011902 
3.141592653467437 


ao 7 & BH 


3. 141592653581078 
3.141592653589793 
3.141592653591404 
3.141592653619936 


or | 


3.141592653921421 


al 


3.1415929203535983 
L 3.1426357142957143 


The next two theorems will be stated without their proofs. These can be found in any introduction 
to continued fractions, e.g. [Rose84], but the arguments are too technical for our purposes. 


Let Cy = pe / gs be the k-th convergent of a finite or infinite continued fraction 
@ = [ao, a), ...] and suppose that |a-—r/s| < |a— py/qy |. 
Then = > ge. 





For instance, since 333 is a convergent of 7, we now know that only rationals with a denominator 
355 


greater than 113 may lie closer to 7 than =22 


does. 





"Theorem A.35 
Letare R and let r/s with go, s) = 1) be a rational such that |a—rjs| Seid. 
| Then r/s is a convergent of the continued fraction expansion of «. 
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This theorem says that a rational number r/s that lies at distance at most 1/2? from a number @ 
will appear as convergent in the continued fraction of that number. 


A.6 Mobius Inversion Formula, the Principle of Inclusion and 
Exclusion 


A.6.1. Mobius Inversion Formula 


Often in Discrete Mathematics a function f is defined in terms of another function, say g. The 
question is, how g can be expressed in terms of f. With the theory of partially ordered sets and the 
(generalized) Mobius Inversion Formula one can frequently solve this problem (see Chapter IV in 
[Aign79]). In this section we shall discuss two important special cases.They both follow from the 
theory, mentioned above, but it turns out that they can also be proved directly. 


Often we shall need an explicit factorization of an integer n. We no longer want the strict ordering 
of the prime numbers given by p; = 2, p2 =3,etc.. However, different subscripts will still denote 
different prime numbers. 


Definition A.14 
Let a= THe: (pl, e; > 0, 1 sis k, where the p;'s are different primes. Then the 
Mobius function (rn) (Mobius) is defined by 


n| ita 1; 
p(n) = ¢ 0 ife; 2-2forsomelsi-=zk, 
| (—1)* ifalle, are equaltel. 


In other words, u(m)is the multiplicative function satisfying 4(1)= 1, w(p)=—1, and p(p')= 0, 
i = 2, for any prime p. Mathematica has the standard function MoebiusMu [n] toevaluate p(n). 





The Mobius function is defined in this peculiar way to have the following property. 


| Lemma A.36 
| Let a be a positive integer. Then 

pl if nel, 

Lain pld) = lo 


Lt. -pnS>l, 
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Proof: For n= 1 the assertion is trivial. For n> 1 we write as above n= Mi pi', e; > 9, 
1 <i<k. Thenk > O and thus 


Gai H(d) = Lat ol pf oe. pe p(d) = Dalp pr.. Pk u(d) = 
sn Bs py 2ulsi)<ip<...< tsk HP, Pin? * *P1) 


k 
oS (Jen =(1-1* =0. 


The reader may want to check the above lemma by means of: 


ee sorSun{ ee ae 


ara eit: Gee ea ns, 





Lemma A.37 
Let m and nm be two positive integers such that m divides mn. Then 


if m=, 


Eamantinid) = { > if otherwise. 


Proof: Let m=n'm. For each d with m|d|n, we write d=d'm. Then 
Lid.midin H(t/d) = Daye H('/d'), which by Lemma A.36 is | for n'= 1, (i.e. m =n), and is 0 for 
n>. 


Theorem A.38 Mobius Inversion Formula 
| Let f be a function defined on ® and let the function ¢g on Mi be defined by 


gin) = dane Fld), neh, 
| Then, for all ne 


Fim) = Lite ME) gin ad) = Yin, wind) etd). 





Proof: By the definition of g(n) and Lemma A.37 


Dadi L (n/d) g(d) = Dan U (n/d) dueld Fle) = Dax fle) Daa ll (n/d) = f(n). 


380 APPENDICES 


Corollary A.39 Multiplicative Mébius Inversion Formula 
Let F be a function defined on § and let the function G on M be defined by 


gta) = [lay f(a). nel, 
Then for all nin 


fl) = [1a ald) elas) = T]a, wel /d) ote). 





Proof: Substitute g(”) = log (G(n)) and f(n) = log (F(n)) in the Mobius Inversion Formula. 


Example A.7 


From Theorem A.12 we know that Euler's Totient Function satisfies 


diate P(d) = fA, 
It follows from the Mobius Inversion Formula (Thm. A.38) that for n =[Tj (pi), e; >, 


l<isk, 


An) = Lam A(d) > = 


_n n n k n 
= <) ne + : ee 408 + —] = 
7 wee P; Litsi<ssk P:P; ( ) Pt P2-PE 


=n(I-L)(1- 4) 2) 


This proves Theorem A.17 in a different way. 





Theorem B.17 in Section B.3 will show a nice application of the Multiplicative Mébius Inversion 
Formula. 


A.6.2 The Principle of Inclusion and Exclusion 


We shall conclude this section with another useful principle. To develop some intuition, consider 
the integers in between 0 and p.g—l, where p and g are different primes. We want to evaluate 
¢ (p.q) directly, 1.e. we want to count the number of integers i, 0 <i < p.q, that are coprime with 
p.qg. Of course, this number is pq minus the number of integersi, O<si< p.q, that have a 
nontrivial factor in common with p.g, 1.e. that are divisible by p or g. There are g multiples of p in 

the range 0, 1, ..., p-q—1 and similarly p multiples of g. However, one of the multiples of p is 

also a multiple of g, namely 0 itself. We conclude that 


$(p.4) = p-q-p-q+1=(p-I(q~-1)=pa(l-—)(1- 7), 


as it should be according to Theorem A. 17. 
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Theorem A.40 The Principle of Inclusion and Exclusion 

Let 5 be a finite set with V elements. Suppose that the elements in 5 can satisfy certain 
| properties PU), 1sisk. 

Let Niiy, tg, ..., i.) be the number of elements in 5 that satisfy properties 

Pii;), Pliz), ..., Pli), where li) <i < +++ <i,3k, 1 ess k, (and possibly also 

some of the other properties). 

Let N(@) denote the number of elements in 5 that satisfy none of the properties P(i), 

lsiczk. 





N(@) = N = Ey sink NW) + Dicie jar M(t J) — ... + (= 1 NCL 2... BD. 


Proof: An element s in S that satisfies exactly r of the k properties is counted 


r r 1)" ry 1-ly = » ie’ 
1-({J+(S]- + ) (= a ={ 0 if r #0. 


times in the right hand side, just as in the left hand side. 


We leave it as an exercise to the reader to prove Theorem A.17 directly from the definition of the 
Euler Totient Function and the above principle (Hint: Let p;, 1 <i<k, denote the prime numbers 
that divide n, take S = {0, 1, ..., n—-1}, and say that element s € S has property Pi), 1 sisk,ifss is 
divisible by pj.) 
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A.7 Problems 


Problem A.1” 

Let []‘, p,%' be the prime factorization of an integer n. How many different divisors does n have? 

Forn = 1000, check your answer with the Mathematica function DivisorSigma [k,n] which computes 
Lan 2* (use k = 0). 


Problem A.2” 
Compute u and v such that gcd (455, 559) = 455u + 599y. 


Problem A.3 
Prove that ged (a™ - 1, a” — 1) = a&“"™ — 1 for every positive integer a. (Hint: reduce the pair {m, nj, 
m 2n,to {m-—n, n} and then follow the simple version of Euclid's Algorithm). 


Problem A.4” 

a) Check that 563 is a prime number. 

b) Use Euclid's algorithm tocompute 117! (mod 563). 
c) Solve 11 x = 85 (mod 563). 


Problem A.5 
Find the solutions of 33 x = 255 (mod 1689). Note that 1689 = 3x563and use the results of Problem 
A.4, 


Problem A.6 
a) Determine $( 100). Check the result with the EulerPhi function. 
b) Compute the two least significant digits of 20042 without using the computer. 


Problem A.7” 
Solve the system of congruence relations (hint: use Theorem A.19): 
3x =2 (mod 11), 7x = 9(mod 13), 4x = 14 (mod 15). 


Problem A.8“ 
Determine the Jacobi Symbol (7531, 3465). 


Problem A.9 

Use the Chinese Remainder Theorem to solve x* = 56 (mod 143).4int: first reduce it to several 
systems of linear congruence relations). 

How many different solutions are there modulo 143? 


Problem A.10 

Determine the first five terms of the continued fraction of f, the largest zero of f? = f + 1. Determine 
also the first five convergents. 

What do you conjecture about the other terms in the continued fraction of f? Prove this conjecture (hint: 
use Algorithm A.29 and the definition of /). 


Problem A.Il 
Prove Theorem A.17 with the Principle of Inclusion and Exclusion (Thm. A.40) and the definition of 
the Euler function y(n). 


Appendix B __ Finite Fields 
Introductory Remarks 


Most readers will be familiar with the algebraic structure of the sets of rational, real, and complex 
numbers. These sets have all the properties with respect to addition and multiplication that one 
may want them to have. They are called fields. 


In discrete mathematics, in particular in the context of cryptology and coding theory, fields of 
finite cardinality play a crucial role. In this chapter, an introduction will be given to the theory of 
finite fields. 


The outline of this is as follows: 


In Section B.1, we recapitulate the basic definitions and properties of abstract algebra and of linear 
algebra. In particular, we shall show that the set of integers modulo a prime number from a finite 
field. In Section B.2, a general construction of finite fields will be given. In Section B.3 a formula 
is derived for the number of irreducible polynomials over a given finite field. This shows that 
finite fields exist whenever the size is a power of a prime. An analysis of the structure of finite 
fields will be given in Section B.4. In particular, it will be shown that a finite field of size q exists 
if and only if g is a prime power. Moreover, such a field is unique, its additive group has the 
structure of a vector space and its multiplicative group has a cyclic structure. 


B.1 Algebra 


Although we assume that the reader is already familiar with all notions discussed in this and the 
next subsection, we offer this summary as a service to the reader. 


B.1.1 Abstract Algebra 


O Set operations 


Let S be a nonempty set. An operation * defined on 5 is a mapping from § x $ into S. The image of 
the pair (s, t) under * is denoted by s*t. Examples of operations are the addition + in R and the 
multiplication x in € The operation * is called commutative if for all s and f in S: 


S.1 sxt = txs forallsandrinS. 


An element e in S that satisfies 


8.2 sxe = exs forallsinS. 
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will be called a unit-element of (S, *). 


If (S,*) has a unit-element, it will be unique. Indeed, suppose that e and e' both satisfy S.1. Then, 
by using S.2 twice one gets 


Example B.1 


Take S as the set of integers Zand + (i.e. addition) as operation. This operation is commutative and 
(Z, +) has 0 as unit-element. 


Example B.2 


Let S be the set of 2 X 2 real matrices with matrix multiplication as operation. This operation is not 
commutative, e.g. 





| Compute for instance: 


On the other hand, this set S does have a unit-element, namely ( 


01 








Property GI tells us that there is no need to write brackets in strings like g*h*k. The element h in 
Property G3 is unique. Indeed, if Ah and  =Ah' both - satisfy G3, _ then 
h=hxe=hx(g*h')=(h*xg)*h'=exh'=h'. In the same way one can show that for each 
a, b € G the equations 
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ax=b and xa=b 


have a unique solution in G, namely 


x=ab, resp. x= bal, 


The reader easily checks that (7, +) in Example B.1 shows a commutative group. Other well- 
known examples of commutative groups are: (Q, +), (Q\{O}, -), and (R, +). 


Example B.2 does not yield a group because not all matrices have an inverse (e.g. the all-zero 
matrix). 


Let (G, *) be a group and H a subset of G with the property that (H, *) is also a group, then H will 
be called a subgroup of G. It can be shown (see Problem B.3) that H is a subgroup of G if and only 
if 


hi hy' eH,  forevery hy), hk EH. 


Let me Z/{O} and define mZ={mk | k € Z}. Then (mZ, +) is a commutative subgroup of 
(Z, +), as one can easily check. 


Example B.3 

Let m € Z { {0} and define 2," as the reduced residue system 
2, ={Osi<m| gced(i, m) = 1}. 

The cardinality of set Z,, is g(m) by Definition A.6. 


It follows from Lemma A.13 that the product of two elements in &,can again be represented by an 
element in @,7. Clearly, 1 is en element of 2," which is the unit element under this multiplication. That 
each element in 2,, has a multiplicative inverse follows from Theorem A. 18 (note that witha € Z,* one 
has that gcd(a, m) = I and thus the equivalence relation ax = 1 (mod m) has a unique solution). 


We conclude that the multiplicative group (Z,, X)is a commutative group of cardinality g(m). 


Commutative groups are also called Abelian groups. Quite often, Abelian groups are represented 
in an additive way: the operation is denoted by a plus sign and the unit-element is called the zero 
element (denoted with a zero). An abelian group in this notation is called an additive group. 


The most commonly used additive group in this introduction will be (Z,,, 0),but in Chapter 10, we 
shall see another example (see Theorem 10.2). 


We shall now consider the more interesting situation that two operations are defined on a set. The 
first will be denoted by g +h, the second by g -h. 


386 APPENDICES 


oO Ring 


The triphe (A, +, «) 15 called a ring, if 

Ri: (A, +) is a commutative group. 
Its unit-element will be denoted by 0. 

R3: Distributivity holds, i.e. forall r, s, re R 
F-(¢+f)SF-s 4+ Ff and (f+ s)-f =o r-f+s-8 


From now on we shall often simply write gh instead of g-h. The (additive) inverse of an element 

g in the group (R, +) will simply be denoted by —g, just as we write 2g forg +g, and 3¢ for 
g@+2+28, etc. Note that 0 really behaves like a zero-element, because for every r € R one has that 
Or=(r-nr=r—Pr =O and similarly that r0 = 0. 


Suppose that the operation * is commutative on R\{O0}. Then the ring (R,+, -) 1s called 
commutative. Examples of commutative rings are (R, +, -), (Q,+,-), (2,+.,-), but also 
(mZ,+,-),whenm #0. 


Let (R, +, -) be a ring and S a subset of R with the property that (S$, +, -) is itself a ring, then 5 
will be called a subring of R. Note that (62, +, -) 1s a subring of (22, +, -), which in turn is a 
subring of (Z, +, -). 


CO Ideal 


Definition B.3 
A subring (5, +, -) of a ring (R, +, -)is called an ideal if 
I: forallre Randse § [rseS and sre 4), 


Let m € Z\{O}. It 1s easy to check that any integer multiple of an m-tuple, is also an m-tuple. It 
follows that (mZ, +, -)is an ideal in (Z, +, -). 


Now suppose that (R, -) has a unit-element, say e, then some elements in R may have an inverse in 
R ue. an element b such that ab=ba=e. This inverse, which is again unique, is called the 
multiplicative inverse of a and will be denoted by a@!. Clearly, the element 0 will not have a 
multiplicative inverse. Indeed, suppose that rO = efor some re R.Then for each @€ R one has 
thata =ae=a(r0) =(an0=0,ie.R=O0. 


It follows from the above that (R, -), when R + {0}, can not be a group. However, (R\{0}, -) may 
very well have the structure of a group. 
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0 Field 

on B.4 

a triple (F, +, °) is called a field, if 

Fl: iF +) ie a Gocinmeative group. ie univeloment is deacted by.0. 


F2: (F, -) is a group. The multiplicative unit-element is denoted by ¢. 





Unlike some rings, a field can not have so-called zero-divisors, ic. elements f and g, both unequal 
to 0, whose product f g is equal to 0. Indeed, suppose that f g =0 and f #0. Then, 
g=eg=(f' f)g=f-'U g) = f-'0 =0, so every element in F is zero. 


If a subring (K, +, -) of a field (F, +, -) has the structure of a field, we shall call it a subfield of 
(F,+,-). 


Examples of fields are the rationals (Q,+, -), the reals (R, +, -), and the complex numbers 
(C, +, -), each one being a subfield of the next one. 


We speak of a finite group (G, *), ring (R, +, -), or field (F, +, -) of order n, if G, resp. R, and 
F are finite sets of cardinality n. For finite fields it is customary to denote the cardinality by g. 


In this chapter, we shall study the structure of finite fields. It will turn out that finite fields of order 
q only exist when g 1s a prime power. Moreover, these finite fields are essentially unique for a 
fixed prime power g. This justifies the widely accepted notation F, or GF(q) (where GF stands for 
Galois Field after the Frenchman Galois) for a finite field of order g. Examples of finite fields will 
follow in Section B.2. 


Analogously to commutative rings, we define a commutative field (F, +, -) to be a field, for 
which (F\{O|, - ) is commutative. The following theorem will not be proved, but is very important 
[Cohn77, p. 196]. 


Theorem 6.1 Wedderbum 
Every finite field is commutative. 


© Equivalence Relations 


Definition B.5 
Let OU be a set. Corresponding to any subset P of Ux, one can define a relation ~ on U 
by 
foralu,ve U [u~v = (we, vie Pl. 
An equivalence relation is a relation with the additional properties: 
El: forallue U [w~a) (reflexivity), 
F2: forallave OU [a~v = v~u] (symmetry), 
E3: foraluywel [(a~vAv~w) = u~w) (transitivity). 
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Let U be the set of straight lines in the (Euclidean) plane. Then "being parallel or equal" defines an 
equivalence relation. 


In Section A.3 we have seen another example. There U = Z and for a fixed m, m # 0, the relation 
= was defined by a = b(mod m) if and only if m divides a — b. 


Let ~ be an equivalence relation defined on a set U. A non-empty subset Wof U 1s called an 
equivalence class, if 


El} Veww [V~w], 
E2 } V wen Vueu\w [7 (u~w)]. 


It follows from the properties above, that an equivalence class consists of all elements in U, that 
are in relation ~ with a fixed element in U. Clearly, the various equivalence classes of U form a 
partition of U. The equivalence class containing a particular element w, will be denoted by < w >. 


Let (R, + , -) be a commutative ring with (multiplicative) unit-element e and let (S, + , - ) be an 
ideal in (R, + , - ). We define arelation = on R by 
a=b(modS$) — (a-beS) (B.1) 


The reader can easily verify that (B.1) defines an equivalence relation. Let R/S (read: R modulo S$) 
denote the set of equivalence classes. On R/S we define two operations by: 


<a>+c<b> := <a+b>, a, DER, 


Ke 0 <DD> t= <ab> ;. a, DER. 


It 1s easy to verify that these definitions are independent of the particular choice of the elements a 
and b in the equivalence class <a >and <b>. We leave it as an exercise to the reader to prove 
the following theorem. 


Theorem B.2 
Let (a, +, «) be a commutative ring and let(5, +, -) be an ideal in(R, +, - ). With the 
above definitions (A/S, +, «) is a commutative ning with unit-element 


The ring (R/S, + , - ) 1s called a residue class ring of R modulo S. In the next section we will see 
applications of Theorem B.2. 
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co Cyclic Groups 


Before we conclude this section, there is one more topic that needs to be discussed. Let (G, ) be a 
finite group and let a be an element in G\{e}. Let a’, a>, ..., denote aa, aaa, etc. Consider the 
sequence of elements e, a, a’, ..., in G. Since G is finite, there exists a unique integer n such that 
the elements e, a, a2, ..., a”~! are all different, while a” = a/ for some j, 0 < j <n. It follows 
that a”*? = a/*?, etc.. We shall now show that j = 0, ie. that a”? = e. Suppose that j > 0. Then it 
would follow from a” =a/ that a"! = a/-'!. However, this contradicts our definition of n. We 
conclude that the n elements a’, 0 <i <n, are all distinct and that a” = e. 


It is now clear that the elements e, a, a”, ..., a"! form a subgroup H in G. Such a (sub)group H 
is called a cyclic subgroup of order n. We say that the element a generates H and that a has 
(multiplicative) order n. 


Since all elements in a cyclic group are a power of the same element, it follows that a cyclic group 
is commutative. 


Lemma B.3 
Let (G, ) be a group and a an element in G of order n. Then, for all mez 


a"=e = Alm. 


Proof: 
Write m=qnt+r,0<r<n.Then, a” =e, iff a’ =e, ie. iff r= 0, Le. iffin|m. 
0 


It follows that an element a in G has order d if and only if a? =e and a®/? +e for every prime 
divisor p of d. 


To find the multiplicative order of an integer a in ZF, (so gcd(a, m) = 1), it follows from Euler’s 
Theorem (Thm. A. 14) and Lemma B.3 that one only has to check the divisors of y(m). The 
following module does this in an efficient way. It makes use of the Mathematica functions GCD, 
Divisors, EulerPhi, and PowerMod. 
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| Lemma B.4 
Let (G, -) be a group and a an element in G of order nm. For & > 0, element a* has order 


gedik, mt) ° 


Proof: 


Let m be the order of a. Since k / gcd(k, ) is an integer, it follows that 


(ak yriecdh. a) - (qt yK/gcd{k, n) = gklgcdkyn) ~ 


From Lemma B.3, we conclude that m divides n/gcd (k, n). To prove the converse, we observe that 
(a*)" = e, Lemma B.3 implies that n divides k m. Hence, n/gcd(k, n) divides m. 


tJ 


Continuing with the same parameters as above, we have for instance: 
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Analogous to (B.1), one can define for every subgroup (H, -) of a finite group (G, -) an 
equivalence relation ~ by 


a ~ biff ab"! EH. 
The equivalence classes are of the form 
{hatheH} 


as one can easily check. They all have the same cardinality as H. It follows that the number of 
equivalence classes 1s aE As a consequence | H | divides | Gj. This proves the following theorem. 


Let (G, : hte d pile gael alot Tiers aoe -jof (G, -) has an 
order dividing n. Also every element a, a ¢ e, in G has an order dividing vn. — 
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B.1.2 Linear Algebra 


c Vector Spaces and Subspaces 


Let F denote an arbitrary field. 


Definition B.6 

A vector space over F is a set V of objects which can be added and multiplied by 
elements of F such that the result is again in V. Besides, the following properties must 
be satisfied: , 

L.(u+v)+wou+(v + Ww) for all u,v, we V, 

2, there is a zero-element in V, ie. an element o such thatvy +o =o0+Vv=v forall ve V, 
3. for every ve V there is an element —v in V such that v + (-v) =(—v) +¥ =0, 
4.u+vort+u foralleu,ve ¥, 

5.a(4+¥) = a@u+avforallu,vé V anda eF, 

iK.(¢+ fve2av+ Bvforalla, Fe Fandve ¥, 

7. (a B)v =a(8v) foralla, GE Fandve V, 

8 l.v=v forall vy € V, where | denotes the unit-clement of the field F. 





It is customary to call the elements of a vector space vectors although they need not be vectors in 
the heuristic sense. 


Examples of vector spaces over F are: 
1) IF”, the set of n-tuples over F 


11) { f(x) € F[x] | deg(f(x)) <n}, the set of polynomials over F of degree less than n. 


Often, it is clear from the context over which field a vector space is defined. In that case, the field 
will no longer be mentioned. 


Definition B.7 
| A subset W of a given vector space V ts called a linear subspace of V if W itself is a 
| vector space with the operations already defined in V. 





In order to determine whether a given subset of a vector space is a subspace, it is not necessary to 
check all eight vector space properties. For instance property | holds for all u, v, w € W because it 
is satisfied a fortiori by all elements in V. We have 


A subset W of a vector space V is a linear subspace of V if and only if 
(i) o& W, 

(ii) u+ve W forall uw, ve W, 

(iij)aw € W forallw € W anda eF. 


Every vector space V has two so-called trivial subspaces: {o} and V. 
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Let V be a vector space and let v;, v2, ... , v, be elements of V. An expression of the type 


QV, +022 +...+@,, witha; €F 
iscalledalinearcombinationof vj, v2, ..., Vp. 


The set of all linear combinations of v;, v2, ..., V_ 1S a subspace of V, which is called the subspace 
spanned by vj, v2,..., ¥,, and will be denoted by <v), v2 ..., Vp >. 


oO Linear Independence, Basisand Dimension 


Probably the most important concept when dealing with vector spaces is the concept of linear 
(in)dependency. 


Definition B.8 

A sel of vectors v), v2, .... ¥_ Ina vector space V is linearly independent if the equation 
Oy) + Op +... ta =o has only the trivial solution a =0, a =0,...,0, = 6. If 
the set of vectors is not linearly indepe 





Suppose that the set of vectors v1, v2, ...,V, 1S linearly dependent. Then, there is a linear 
combination @; vj +... +@, V,_, = 0 where at least one a; # 0. This enables us to write 


yj = aj! (a, vy +... + Qj] Vj-1 + Mia] Vint +.» +n Vy). Thus, we get a different description of 
linear dependency. 


Theorem 6.7 
A set of vectors v), v2, .... Ve Ina vector space V is linearly dependent if and only if at 
least one of these vectors can be expressed as a linear combination of the other vectors. 


This implies in particular that any set of vectors that includes the zero-vector o is linearly 
dependent. 


Theorem B.8 

Suppose that the vectors v), ¥2, ..., ¥_ are linearly independent. [f we replace one of 
these vectors by the sum of this vector and a linear combination of the other vectors, the 
resulting set of vectors is again linearly independent. 


Now let W be a subspace of a vector space V, and let {w), w2,..., Wa} c W. 


The set (wy, 2, .... Wal is a basis for W if 
G) this set of vectors is linearly independent, 
1@ SW], ee ay Wy > = Wc. any w € W is a linear combination of w), wz, -.., Wy. 





In particular, if W = V we have a basis for the vector space V itself. 


For instance, if V = F” the following set of vectors is a basis for V: 
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e, =(1,0,..., 0), e2 =(0, 1,0, ..., 0), ..., e, = (0, ..., 0, 1). 


This basis is usually called the standard basis. 


In the definition we considered only a finite basis. Not every vector space 1s spanned by a finite 
number of vectors. Take for example F = R, and V is the vector space of all real-valued functions 
on R. 


It can be proved that in every vector space a basis exists. Here we will be concerned only with 
vector spaces which are spanned by a finite number of vectors. The following theorem is very 
important. 





Theorem B.9 
Suppose one basis of a subspace W of a vector space V has a vectors, and another basis 
has m vectors. Then mn = m. 


A basis for a vector space is not uniquely determined; however, in the case of a finite basis the 
number of vectors 1n a basis is uniquely determined. 


| Ifa vector space has a basis with n vectors we call n the dimension of this vector spa 
- The dimension of the zero vector space {o] is defined to be 0. 





© Inner Product, Orthogonality 


Let Vbe a vector space over the field F. 


Definition B.11 
An inner product on V is a bilinear map Vx V = F, It is denoted by (u,v), where u and v 
are vectors in V’. 


Bilinear means that the following properties should hold for all 44v,w € Vanda EF. 


(ut+v,w) = (u,w)+(v,w) and (u,v+w) = (4, v)+(u, w) 


(au,v) = a(u,v) = (u,av) 


This is a very general definition of an inner product. If in particular F = R or F = C usually 
additional properties are required. For instance, in real vector spaces one wants (u, u) to be positive 
definite, i.e. (u, uw) > O for all vectors w #0. In this case, the length or norm of uw is defined by 
V (u, u) and often denoted by || u]|. 


If V =F” then the standard inner product is defined by 


(4,V) = Uy V1 +n V2 +... + Un Vy. (B.2) 
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If the field F is finite then there may exist nonzero vectors u such that (u,u) = 0. For instance, in 
the vector space F”, where F = {0, 1}, with standard inner product, any vector u with an even 
number of nonzero coordinates is orthogonal to itself. 


Let U be a subspace of V. In many applications it is useful to consider the set of all vectors 
orthogonal to U. 





In formula: 


= {ve U|(u, v) = Oforallu € UV}. 


The following properties hold for subspaces U and W of a finite dimensional vector space V. 


~ a 
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‘iy dim(U*) © div) — dim(U). i, ee eee: ae 
Gre by ah then W* c U* | & rie aT pe Gi at 3 We aura 
In the case where V =F", with standard inner product, we have a simple ain of U>. Let 
({U), U2, ..., &,_} be a basis for U, and let A be the m x n-matrix with rows wu, ,......, Uj, Lhen we 
have: 








ve Ut =& Ay’ =o', 


where the superscript T denotes the transpose of a vector, i.e. the column vector with the same 
coordinates as v has. 
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B.2 Constructions 


The set of integers modulo m, meN\{0}, that was introduced in Section A.3, can also be 
described as the residue class ring (Z/mZ, +, -) (see Theorem B.2), since (mZ, +, -) is an ideal 
in the commutative ring (Z, +, -). This residue class ring is commutative and has < | > as 
multiplicative unit-element. The ring (2/mZ, +, + )1s often denoted by (Z,, +, -). 


Theorem B,11 
Let m be a positive integer. The ring (#,,, +, °) is a finite field with m elements if and 
only if a is prime. 

Proof: 


=> Suppose that m is composite, say mz=ab, a>1,. and b>I. ~ Then 
<O> = <ab>= <a> <b>, while <u> +#<0O> and <b> #<0O>. So the ring 
(Z,,, +, -) has zero-divisors and thus it can not he a field. 


<= Now suppose that m is prime (See also the Example B.3). We have to prove that for every 
equivalenceclass <a>, <a> # <OQ>, there exists an equivalence class <b>, such that 
<a> <b> = <1>. Por this it is sufficient to show that for any a with m-+a, there exists an 
element Db, such that « b = 1 (mod m).This however follows from Lemma A. 13 or Theorem A. 18. 


0 


For convenience, one often leaves out the brackets around the representatives of equivalence 
classes, therefore with a one really means <a>. 


Later we shall see that for p prime, (Zp, +, -) 1s essentially the only finite field with p elements. 
We shall denote it by (F,, +, -). In information and communication theory one often works with 
FF, which just consists of the elements 0 and 1. 


We are now going to construct finite fields F, for g = p”, p prime. 
Let (F, +, -) be a commutative field (not necessarily finite) and let F[x] be the set of polynomials 


over F, 1.e. the set of expressions 


FM=fotfixt fet... t fx 
where fj, € F, Os O<n, andneN. The largest value of i for whichf; #0 is called the degree of 
F (2). 
Addition and multiplication of polynomials is defined in the natural way. 
DAM + Lait = Tilht+ gx. (B.3) 
(Mifix CL jeje) = Ly Dis jn figp M- (B.4) 
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Example B.4 


Let F = F> and consider f(x) = | +x? +x andg{x) = 1 +x +2x.Then f(x) +9(x%) = x + x and 
fix)gixe) = Lex ¢ xe ext txt tr? + 2°. 


In Mathematica we can perform these calculations the function PolynomialMod as follows 





x+x* 


1+x4x¢ +x 4x ox? 4+ x? 


It is now straightforward to verify the next theorem. 


Let (F, +, + ) be a commutative field. Then (F[x], +, -) is a commutative ring with unit- 
element. 


Analogously to the concepts defined in Appendix A for the set of integers, one can define the 
following notions in (F[x], +, -): divisibility, reducibility (Gf a polynomial can be written as the 
product of two polynomials of lower degree), irreducibility (which is the analog of primality), gcd, 
lcm, the unique factorization theorem (the analog of the fundamental theorem in number theory), 
Euclid's Algorithm, congruence relations, etc. We leave the details to the reader. 


The following Mathematica functions can be helpful here: PolynomialMod (which also reduces 
one polynomial modulo another), Factor, PolynomialGCD, PolynomialLCM. Their usage 
is demonstrated in the following examples: 





(24x) (2s2 nex) Fax e320) (Rextedseextese) 
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1l+x 





{l+x") (L+x4x") 


With the package Algebra ~PolynomialExtendedGCD~ one can use the Mathematica function 
PolynomialExtendedGCD: 





 {1+x, (1, Mod[x, 2])) 


One particular consequence of Theorem B. 12 is stated in the following theorem and its corollary. 


Theorem 6.13 
Let a(x) and b(x) be two polynomials in Fx] . Then there exists polynomials u(r) and 
v(x) in F(x) such that 

u(x) a(x) + v(x) b(x) = gedfatx), (x). 


Corollary B.14 
Let a(x) and f(x) be two polynomials in F[x], such that ged(a(x), f(x) = 1. Then, the 
congruence relation 
a(x) uix)= 1 (mod f{x)) 
has a unique solution modulo f(x). 


The solution of the above congruence relation can again be found with 
PolynomialExtendedGCD. Indeed, from 
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we can conclude that the congruence relation (1 + x“) u(x) = 1(mod 1 +x +4) has the solution 
1 +x +x’, as one can easily check with: 
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PolynomialMod[ (1+x"*) (l+x+x°), 1+x+x‘, Modulus -> 2] 


= Se : TEE 








1 


Another important property of F[x] 1s given in the following theorem. 


Theorem B.15 
Any polynomial of degree n, n> 0, in Flx] has at most n zeros in F. 


Proof: For n = 1 the statement is trivial. We proceed by induction on n. 


Let u € F be a zero of a polynomial f (x) of degree n over F (if no such wu exists, there is nothing to 
prove). Write f(x) = (v— u) q(x) + r(x), degree(r(x)) < degree(x — u) = 1. It follows that r(x) is a 
constant, say r. Substitution of x = u in the relation above shows that t = 0. We conclude that 
f(x) = (x - 4) g(x). 


Now q(x) has degree n — 1, thus, by the induction hypothesis, g(x) has at most n—1 zeros in F. 
Since a field can not have zero-divisors, we know that each zero of f(x) is either a divisor of x- u 
or a zero of g(x). It follows that f(x) has at most n zeros in F. 


Let s(x) be a non-zero polynomial in F[x]. It is easy to check that the set 


{ a(x) s(x) | a(x) € F}. 


forms an ideal in the ring (F [x], +, -). We denote this ideal by (s(x)) and say that s(x) generates 
the ideal (s(x)). 


Conversely, let ($,+,-) be any ideal in (F[x], +, -), with S #F [x]. Further, let s(x) be a 
polynomial of lowest degree in S$. Take any other polynomial f(x) in S and write 
f(x) = q(x) s(x) + r(x), degree(r(x)) < degree(s(x)). With properties I and Rl, we then have that 
also r(x) 1s also an element of S. From our assumption on s(x) we conclude that r(x) = 0 and thus 
that s(x) divides f(x). 


It follows from the above discussion that any ideal in the ring (F [x], +, -)is generated by a single 
element! A ring with this property is called a principal ideal ring. 


From now on we shall restrict ourselves to finite fields. Up to now we have only seen examples of 
finite fields F,, with p prime. 


Let f(x) © F,[x] of degree n. We shall say that f 1s a p-ary polynomial. Let f (x) be the ideal 
generated by f(x). From Theorem B.2 we know that (F,[x]/(f()), +, -) 1s a commutative ring 
with unit-element <1 >. Itcontains p” elements, represented by the p-ary polynomials of degree 
<7. 
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Theorem B.16 

Let (F,. +, -) be a finite field with p elements. Let f(x) be a polynomial of degree n 
over F,. Then, the commutative ring (F [2] / (f(x), +. :) is a finite field with 
p*elements if and only if f(x) is irreducible in F [x]. 


Proof: (Compare with Theorem B.11 and its proof.) 


=> Suppose that f(x) =a(x) bQ), with degree(a(x))>Q and degree(b(x))>0. Then 
<a(x)> <b(x)> = <a(x)b(x)> = < f(y) > = <O>, while <a(x)> # <0> and 
<b(x)> # <0>. So, (F,[x]/(f()), +. +) 1s a ring with zero-divisors. Hence it can not be a 
field. 


<= On the other hand, if f(x) is irreducible, any non-zero polynomial a(x) of degree <n will have 
a multiplicative inverse u(x) modulo f(x) by Corollary B.14. For this u(x) one has 
<a(x) > <u(x)> = <1 >. It follows that (F,,[x]/(f(x)), +. -) is a field. We know already that 
it contains p”elements. 


Example B.5 
Let q =2. The fieldFy consists of the two elements 0 and I. Let f(x) = 1 +x +x°. Then 


(Fo[x]/(1 +x #2°), +, -) is afinite field with 23 = 8 elements. These eight elements can be represented by 
the eight binary polynomials of degree < 3. Addition and multiplication have to be performed modulo 


1 +x +x. For instance 


Lex tx = ar ¢ xf = (x 4¢))(1 4x42) 41 =1 (mod 14x42). 
Thus, x° is the multiplicative inverse of 1 +x +x? in the field (F2[x]/(1 +x #x°), +, -). 
In Mathematica one can find an irreducible polynomial over Fp, p 


prime, with the function IrreduciblePolynomial for which the package 
Algebra ~FiniteFields” needs to be loaded first. 





14x°4+23x9 4x71 


In Mathematica the field defined by the p-ary polynomial f(x) of degree can be described by 
GF[p, {fo. fi. ---. fm}. Addition, subtraction, multiplication, and division can be performed as 
follows: 
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Two questions that arise naturally at this moment are: 


1) Does an irreducible, p-ary polynomial f(x) of degree n exist for every prime number p and 
every integer n? If so, then we have proved the existence of finite fields F, for all prime powers g 


2) Do other finite fields exist? 


The first question gets an affirmative answer in the next section. The second question gets a 
negative answer in Section B.4. 
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B.3. The Number of Irreducible Polynomials over GF(q) 


In this section we want to count the number of irreducible polynomials over a finite field Fg. 
Clearly, if f(x) 1s irreducible, then so is @ f(x), for a € F,\{0}. Also the ideals (f(x)) and (a@ f(x)) 
are the same, when a € F,\{0}, therefore, we shall only count so-called monic polynomials of 
degree n, i.e. polynomials, whose leading coefficient (the coefficient of x" ) is equal to 1. 


Definition B.15 
fal) = # q-ary, irreducible, monic polynomials of degree n, 


(mt) =f2(n) = # binary, irreducible polynomials of degree n. 


To develop some intuition for our counting problem, we start with a brute force attack for the 
special case that g = 2. We shall try therefore to determine /(n). 


There are only two binary polynomials of degree 1, namely 


x and x+1. 


By definition, both are irreducible. Thus, I(1) = 2. 


By taking all possible products of x and x + 1, one finds three reducible polynomials of degree 2: 


xx = x, xe(xt1l)=xcetx, and (rt+lP arte. 


Since there are 2*=4 binary polynomials of degree 2, it follows that there exists only one 
irreducible 


polynomial of degree 2, namely 


xeext, 
So, (2) = 1. 
Each 3-rd degree, reducible, binary polynomial can be written as a product of the lower degree 
irreducible polynomials x, x+1 and x*+x+1. In this way, one gets x(x+ i, Osis3, 


(x +x+1)x, and (x7 +x+1)(x+ 1).Since there are 23 = 8 binary polynomials of degree 3, we 
conclude that there are 


8 — 4 — 2=2 irreducible, binary polynomials of degree 3. So, I(3) = 2. 


The two binary, irreducible polynomials of degree 3 are: 


etext and x + x7 +1. 


At this moment it is important to note that for the counting arguments above, we do not have to 
know the actual form of the lower degree, irreducible polynomials. We only have to know how 
many there are of a 


certain degree. 
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Indeed, to find /(4) we can count the number of reducible, 4-th degree polynomials as follows: 


number 
product of four 1 - st degree polynomials 5 
- product of one 2 - nddegree polynomial and 1x3 = 3 
two 1- st degree polynomials 
product of two 2 - nd degree polynomials 
- product of one 3 - rddegree polynomial and 2x2 = 
one 1 - st degree polynomial 
total = 3 


It follows that there are 2* — 13 = 3 irreducible, binary polynomials of degree 4. So, I(4) = 3. 


With some additional work one can find these three irreducible, 4-th degree polynomials: 


tre, v4ex4]1, and x 4¢ x 4x txt, 


Continuing in this way one finds with the necessary perseverance and precision that I(5) = 6 and 
I(6) = 9, etc. 


The above method does not lead to a proof that /(n)>0O for all neEN, let alone to an 
approximation of the actual value of J(n). 


We start all over again. 


Let p(x), i= 1, 2, ..., be an enumeration of all g-ary, irreducible, monic polynomials, such that 
the degrees form a non-decreasing sequence. So, the first /,(1) polynomials have degree 1, the next 
I,(2) polynomials have degree 2, etc.. 


Any g-ary, monic polynomial f(x) has a unique factorization of the form 


2) (o.))*, e EN, i2 1. 


where only finitely many e;'s are unequal to zero. It follows that f(x) can uniquely be represented 
by the sequence (€, @2, ... ). Let a; be the degree of p;(x) and let be the degree of f(x). Then 


€,a;+@€2a0+... =H. 


So, the polynomial f(x) is in a unique correspondence with the term 


(241) (z42)°2 |, 
in the expression 

(Le erg ett (Lt 2 t 22H, 
Le. in 


M2,  - 2ayt, 
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Since there are exactly g” g-ary, monic polynomials of degree n, the above proves that 


We,dqa-z)! =le+egzt+¢@2+... = U-qz", 
or equivalently 
21d -z) = (l-@z). 


From our particular ordering we know that a; =k for exactly /,(k)values of i, thus, the above 
relation can be rewritten as: 


Me a- 2)" = (1-q2). 
Now take the logarithm of both sides and differentiate the outcome. One obtains: 
qi-qg2! = Deki loc 'a- 41. 
Multiplying both sides with z yields 
Si giz =@zl-g2y' = Ye kL020-2)" = 
= Dek LR = LR Lig kK dy(k) 2". 
Comparing the coefficients of z on both sides gives the relation 
Lukin K Ig(k) = q”. (B.5) 
Theorem B.17 


f(a) = — Day wld) 


Proof: Apply the Mobius Inversion Formula (Thm. A.38) to (B.5). 


We can evaluate I,(n) quite easily in Mathematica (see DivisorSum and MoebiusMu) 


| Divisorsun(t_ , D_] := Plus 6 x /@ Divisors tal) 





ES a = 


“qe 3; ma 4; DoM[ A) * Moebiuam[a] + @/*) | 
oie geht Rea m]) /m 





It is now quite easy to determine the asymptotic behavior of J,(n) and to prove that its value is 
always positive. 


First of all, Z,(1) =q, since all monic, polynomials of degree one are irreducible by definition. It 
follows from (B.5) that 
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qtnij(n) < Link lg(k) = 9". 
Hence 
In) s £4. (B.6) 


On the other hand (B.5) and (B.6) imply that 


gq” = Dink Iylk) = nln) + ars gk < nin) + git, 


Together with (B.6) this proves the first statement in the following theorem. 


Theorem B18 
For all nthe number /-(m) of monic, irreducible, n-th degree polynomials in F [| 
satisties 
P Par’ : - @ | 
© (1-—rr) s in) s £(1- 4), 
and 


I,(n) > 0, 


Proof: That /,(n) > 0 follows directly for n = 3. Forn = 1 and 2, this follows from Theorem B.17, 
grt ) 


but also directly from 7,(1) = 4 >0 and 1,(2) =? -( , 


= (3) > 0. as one can easily prove 


directly. 


Corollary B.19 
I,{n) = a 


The reader may want to verify this approximation for some particular cases with the following 
Mathematica input: 


q@ = 2; m= 100; DSM[d_] = MoebiusMu[4] * q™4; 





N[(Divisorsum[DSM, m]) /q™, 40] 


0.999999999999999111821579473501948675013 


It follows from this corollary that a randomly selected, monic polynomial of degree n is irreducible 
with a probability of about 1/n. With the Mathematica function Factor one can easily check if a 





particular polynomial is irreducible or not. 
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Factor[1+x+x*+x"’+x*, Modulus -> 2] 


243). x! 





1l+xX+z 


B.4 The Structure of Finite Fields 


B.4.1 The Cyclic Structure of a Finite Field 


It follows from Theorem B.11, Theorem B.16 and Theorem B.18, that finite fields (Fj, +, -) exist 
for all prime powers gq. If q is a prime number F, can be represented by the integers modulo p. If q 
is a power of a prime, say q= p”, F,can be represented by p-ary polynomials modulo an 
irreducible polynomial of degree m. We state the above as a theorem. 


Theorem B.20 
Let p be a prime and g = p™, m= 1.Then a finite field of order g exists. 


Later in this section we shall see that every finite field can be described by the construction of 
Theorem B.16. But first we shall prove an extremely nice property of finite fields, namely that 
their multiplicative group is cyclic! By Theorem B.5, we know that every non-zero element in F, 
has a multiplicative order dividing q — 1. 


Definition B.16 

An élement w in a finite field of order g is called an n-th root of unity if a" = e. 
An element w is called a primitive n-th root of unity of it has order an. 

If w is a primitive (q — 1)}-st root of unity, then w is called a primitive element or 
gencrator of F,. 


Theorem 6.21 

Let (Fy, +, + Jbe a finite field and let @ be an integer dividing g — 1. Then F, contains 
exactly @(@) elements of order a. 

In particular, (F,\{0}, -)is acyclic group of order g — 1, which contains @(¢ — 1) 
primitive elements. 


Proof: By Theorem B.5, every non-zero element in F, has a multiplicative order d, which divides 
q — 1. On the other hand, suppose that F, contains an element of order d, d|(q¢ — 1), say w. Then 
all d distinct powers of w are a zero of x“ — e. It follows from Theorem B. 15 that every d-th root of 
unityin F, is a power of w, It follows from Lemma B.4 that under the assumption that F, contains 
an element of order d, F,will contain exactly ¢(d) elements of order d, namely w', with 
GCD{i, d] = 1. 
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Let a(d) be the number of elements of order din F,. Then the above implies that 


1) a(d) = O or a(d) = dd) 


and also that 


11) dedky-1) a(d) — l. 
On the other hand, Theorem A. 12 states that Diayg-1) Pd) = g- 1. So, we conclude that 
a(d) = @(d) for all d | (g—- 1). 
Inparticular, u(g — 1) = @(g¢ — |)which means that F,contains @(qg — 1) primitive elements and that 
F,\{O} is acyclic group. 
LJ 


To check if a particular element w in GF(q) has order d, d | (q — 1), it suffices to check that w@ = 1 
and that w“/? + 1for every prime divisor of d. See also the discussion below Lemma B.3. 


To find a primitive element in Z,, p prime, the Mathematica function PowerList can be used. 
It finds a primitive element in Z, and generates all its powers (starting with the 0-th). The second 
element in this list is the primitive element itself. First, the package Algebra ~FiniteFieids~ 
needs to be loaded. 


<¢ Algebra’ FiniteFields™ 


p=17; PrimeQ[p] 
PowerList (GF([p, 1]][[(2]] 





True 


{3} 


Problems B.6 and B.10 indicate an efficient way (due to Gauss) to find a primitive element in a 
finite field. 


Corollary B.22 


Every element w in F, satisfies 


ca? = w, n=l. 
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Proof: For w= 0 the statement is trivially true. By Theorem B.5 or Theorem B.21, any w, w #0, 
has an order dividing g — 1. So, it satisfies wi! = eand thus also w! = w.Since wi” = (w4)t"’ che 
proof now follows with an easy induction argument. 


| Corollary B.23 
| Let F, be a finite field, Then 


yo;y= Tuer, (x = du), 
Proof: Every element win Fy is a zero of a“ — x by Corollary B.22, therefore, the right hand side 
above divides the left hand side. Equality now follows because the expressions on both sides are 
monic and of the same degree. 


a 


i 


Corollary B.23 will be used later as a tool to check if a certain element in fields containing F, is 
actually in F, itself. 


Example B.6 


Consider the finite field (Fz{x]/(f(x), +. -)with f(x) = x4 +27 +x? +x 41. It contains 24 = 16 elements, 
which can be represented by binary polynomials of degree <4. The element x, representing the class 

<x >, is nota primitive element, since x = (x +1) f(x) +1 = 1 (mod f(x)). So x has order 5 instead of 
15. With Mathematica this can be checked as follows: 


Polexextaxte xt; ‘ ) 
_ PolynomialMod[x*, £, Modulus -> 2] 
PolynomialMod[x*, £, Modulus -> 2] 
PolynomialMod([x*, £, Modulua -> 2] 
PolynomialMod[x*, f, Modulus -> 2] 





Lexe+ex +e 
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The element x +1 is primitive element (its order is 15), as one can see in Table B.1. It is also easy 
to verify. Indeed, x +1 has an order dividing 15. So, one only has to check that (x +1) raised to 
the power 3 or 5 does not reduce to I modulo f(x). 





Multiplication is easy to perform with Table B.I. For instance 


(4x4 4x3) (x ex) = (xt IP (x t))4 = 
(x +1)? =(x +1)? =x? +1 (mod f(x). 


The element x + 1 is a zero ofthe irreducible polynomial y* + y’ +1 since 


(x +1)¢ +(x +1) +1 = O(mod f(x). 


ael+e+xe +e" | 


ra meee Neg ey rr f - 22 ee a +. 5 Pe a ink ia a EO be 6 ‘a aa a ee or el 
ae oa Fy = = if i Sa aE BF _ -_ - |, mh t oe eh Bie c 
allie | 1 A ania a Phgfinan! Pe at = p J pol at i =| a" 'y a = od 


re A ea z f i Day : . + t- ak) a Ty a 





Therefore, in (F2[x]/(g(x), +, ° 
Table B.2. 
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(dex) 8] o[t{ 1 | 0. 
(d+x)#{o}a {oa | 


Table B.1 (Fo[x]/(l+x4+ 2° +.x* + x4), +, - ) with primitive element | + x. 
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Table B .2 (F2[x]/(1 +.x° +.x*), +, -) with primitive element x 


B.4.2 The Cardinality of a Finite Field 


Consider the elements e, 2e, 3, etc. in Fy. Since Fg is finite, not all these elements can be 
different. Also, if ie = je, with i< j, also (j-i)e = 0.These observations justify the following 
definition. 


Definition B.17 
The characteristic of a finite field Fy with unit-element ¢, is the smallest positive integer 
e such thatce = 0. 
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Theorem B,24 


The characteristic of a finite field F, is a prime. 


Proof: Suppose that the characteristic c can be written as c'c", where c'>1 and c''> 1. Then 
0 =ce=(c'e)(c''e), while c' #0 and ce #0. So, c'e and c" e are zero-divisors. This contradicts 
the assumption that F, is a field. 


Definition B.18 

Two finite fields (Fz, +, *) and (Fy, @, @) are said to be isomorphic, if there exists a 
one-to-one mapping & from F, onto Fy (so q = q"), such that for all a, and a in Fz: 
i) la) +) = Gele)) Byblos), 

ti) lee) Sy) = pele, ) Byblos). 


In words, two fields are isomorphic if after renaming the elements in them they behave exactly the 
same with respect to the operations addition and multiplication. 


Lemma B.25 
Let (F,, +, +) be a finite field with characteristic p. Then (F, +, -) contains a subfield 
which 18 isomorphic to(2,, +, ), 1.¢. to the integers modulo p. 


Proof: The subset {ie| i= 0, 1, ..., p—1} forms a subfield of (F,, +, -) which is isomorphic to 
(Z,, +. -) under the isomorphism Wie) = 1,0 <i < p. 
D 


In view of the lemma above, we can and shall from now on identify the subfield in (Fy, +, -) of 
order p with the field (Z,, +, -). The subfield fF, is often called the ground field of Fo. 
Conversely, the field F, is called an extension field of Fp. 


Theorem 6.26 
Let F, be a finite field of characteristic p. Then F, can be viewed as a vectorspace over 
F, and g = p” for some integer m, m = 1. 


Proof: Let 4), u2, ..., Umbe a basis of Fyover Fp, i.e. every element win F, can be written as 


W>= a4, Uy + A2uat+ ... FAy Uy, 
where a; €F,, 1 <i sm, and there is no dependency of the field elements u; over F,,. It follows 
that this representation is unique and thus g =(|F), |= p”. 


O 


At this moment we know that finite fields Fy can only exist for prime powers g. Theorem B .20 
states that F, indeed does exist for prime powers qg. That all finite fields with the same value of ¢ 
are isomorphic to each other will be proved later. 
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B.4.3 Some Calculus Rules over Finite Fields; Conjugates 


Theorem B.27 
Let w be an element in a finite field F, of characteristic p. Then in F,[x] 


(x—- wy = oP —wP, 
Proof: Let 0 <i< p. Then gcd(p, i!) = 1, so 
(” = Pec) itl) = 9 (mod p) 
and with the binomial theorem, we have that 


(x-—w)? = xP + (-—w)? = x? -—w?. 


where the last equality is obvious for odd p, while for p = 2 this equality follows from + 1 = -1. 


To demonstrate this we use again the Mathematica function PolynomialMod. 





Corollary B.28 
Let a), 1 i= &, be elements in a finite field F, of characteristic p. Then for every n 


(Shi ay 7% rh af’. 





= — gsi, alii tate rs a 
= ‘ie pe =, ee a 


‘= 3; PolynomialMod[ (a+b+c) 
Pe bee 7 ro Sai er pet ty Shin oh eee 


Dp i 


es bh?" + ce 


Proof: Use an induction argument on k and on n. Start with (a; +a2)? = af +ab. 
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The following theorem often gives a powerful criterion to determine, whether an element in a field 
F, of characteristic p, actually lies in the ground field F,,. 


Theorem 6.29 
Let F, be a finite field of characteristic p. So, g = p"™, m > 0, and F, contains F,, as a 
subfield. Let w be an element in F,. Then 


ver = w= w. 
Proof: The p elements in thesubfield F,, satisfy x? = x by Corollary B.23. On the other hand, the 
polynomial x” — x has at most p zeros in F, by Theorem B.15. 
u 
Let w be an element in F,, a field of characteristic p, but w not in F,. Then w? + w by the previous 


theorem. Still there is relation between w? and w. 


Theorem 56.30 
Let « be an element in a finite field F, of characteristic p. Let f(x) be a polynomial over 
F.. such that f(w) = 0. Then for alla eM 


fiw?) = 0. 


Proof: Write f(x) = 1% fi x’. Since f; €F,, 0 <i<m, one has by Corollary B.22 and Theorem 
B.29 that 


0 = (f(w))?" = (XM) fw)” = Te fw')? = 


apt " : oy . fn 
= Th OP = fle) = fers. 
LJ 


In R and € a similar thing happens. If f(x) is a polynomial over the reals and f(w) =0, weEC, 
then also f(@) = 0, where @ is the complex conjugate of w. 


The following theorem states that the number of different elements w' i=0,1, ..., only depends 
on p and the (multiplicative) order of w. 


Theorem B31 

Let w be an élement of order mn in a finite field of characteristic p. Let m be the 
multiplicative order of p modulo nm, ic. p™ & | (mod a), with m > 0. Then, the m 
elements 


oo oF... 


are all different and a” = w. 
The m elements w? , 0 =< i < m— 1, are called the conjugates of w. 
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Proof: By Lemma B.3 (twice), one has that w? = w?’ if and only if p' = p/ (mod n), and thus if 
and only if p'’/ = ! (mod n), ie. if and only if i = j (mod m). 


Example B.7 


Consider (Fg{x)/(f()), +, + with f(x) = x4 +27 4x7 +x +41(see Example B.6). The field element x has 
order 5. The multiplicative order of 2 modulo 5 is 4. So, x, x’, x”, and x2’ are all different, while xy, 
Indeed, xt = x' +x? +x +1 (mod f(x), °° =x (mod fix), while x! = x (mod f(x)), as can be checked 
with the Mathematica functions Table and PolynomialMod: 





pea) m=4;f=1ee+e 4x34 x"; 
-Table[ PolynomialMod|x”, £, Modulus -> p], gas =] Me 
TableForm 





x 
laxe x’? 430 


x 


B.4.4 Minimal Polynomials, Primitive Polynomials 


Theorem B.32 

Let F, be a finite field of characteristic p. Take n|(q— 1) and let w be an element of 
order n in F,. Further, let m be the multiplicative order of p modulo n. 

Then the polynomial 


mix) = | Es [x - ul) (B.7) 


has its coefficients in F, and it is reducible over F,,. It is called the minimal 
polynomial of aw over, 


Proof: Clearly, m(x) is a polynomial over F,. Write m(x) = pm; x’. We have to show that the 
coefficients m, are in the ground field F,. To this end we shall use the powerful criterion of 
Theorem B.29. 


It follows from Theorem B.27 and Corollary B.22 (with n = 1) that 
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G(x)? = TY (x - w\" = = [1% Nc? a wr") = 


=F1RE) (x? — wo") = [Teg (x? - we?!) = mia?). 


Hence 


Dmg m, xP! = mx?) = (mx)? = (Lom xy = Ly mf xP! 


Comparing the coefficients of x?! on both hands yields m; =m’. It follows from Theorem B.29 
that m, € F,,0 <i <m. So, m(x) is a polynomial in F [2]. 


From Theorem B.30 and Theorem B.31 it follows that no polynomial in F [x] of degree less than 
m can have w as a zero. So, m(x) is irreducible over F p. 


O 
Corollary B.33 
Let w be an element of order n ina finite field of characteristic p. Let mic) be defined 
as in Theorem B.32 and let f(x) be any p-ary polynomial that has w as zero. 
Then f(x) is divisible by rr(x), 
Proof: Combine Theorem B.30, Theorem B.31, and Theorem B.32. 
ui 


So, m(x), as defined in Theorem B.32, is the monic polynomial of lowest degree over F,, having w 
as a zero. That is the reason why m(x) 1s called the minimal polynomial of w over p. Ithas w and 
all the conjugates of was zeros. The degree of the minimal polynomial m(x) of an element w is 
often simply called the degree of w over Fp. 


If m(x) 1s the minimal polynomial of a primitive element, then m(x) is called a primitive 
polynomial. Mathematica finds a primitive polynomial of degree m over F pin the variable z by 
means of the FieldIrreducible function. 


SN EEE me == 


 ¢¢ Algebra’ FiniteFields” : 





m= = 6; p=2; 
Ey2eLctsreducdbis] GF fps nm] : =) 


a ee se ee cee ee elle ne ee ee 





1+2°+2' 
Let f(x) be a primitive polynomial over F, of degree m. A table (like Table B.2) in which each 
non-zero element in the finite field (F,[x]/(f(x), +, -)is represented as a polynomial in x of 


degree <m and as a power of x is called a log table of that field. These tables are very practical to 
have when extensive calculations need to be done in the field. 
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These logarithm tables can be made quite easily by Mathematica. Depending on whether one 
wants Mathematica to select a suitable primitive polynomial or enter one's own, one can type : 





OrPPoOPORPrRPHPHPOGoOFS 
PROrRPORPPRPRHP GOGH Sas 
FOoOrRrPeSrPOrRPRFPFO GOD 


1 
0 
0 
0 
4 
1 
1 
1 
o 
1 
i] 
1 
1 
0 
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Or 


RPM Ts ee Ce ee 
} . ] r ed oT a Par | sik | ’ 1 


wy re ei es" 
ee : via 





EPPS SY eS BS eae eo 4 & & | 
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GT eres Data 

oS iro S&S & 
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To determine x in a field GF[p, m] or, conversely, to find i such that x! is equal to a particular 
element in GF[p, m], one can use the Mathematica functions FieldExp[GF[p, m], i], resp. 
FieldInd[GF\p, m] [{list}]] (essential for this calculation is the assignment True to PowerListQ). 





There are several ways to find the minimal polynomial of a field element. We shall demonstrate 
two methods. 


Method 1: 


Let a be a zero of the binary primitive polynomial x° + x? +1. So, a@ has order 31 and the 


conjugates of a° are a, a!?, a4, and @'”. Then the minimal polynomial of a? can be found 
by: 





Lact acts xt xh 


Method 2: 


Let a@ be a zero of the binary primitive polynomial x°+.x?7+1. To find the minimal 
polynomial of 8 = a°, we first compute 1,8, 8”, 8°, 6*, and f°, using a5 + a7 +1=0. 
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We use the Mathematica function CoefficientList to convert the coefficients into 


vectors. Note that we use the Join function to pad the output with zeros to make all vectors 
of length 5. 
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We need to find a linear dependency between 1, f, 8”, 6°, 64, and f°, say Y}_) g; A'=0 with 
g; € GF(2). To this end we use the Mathematica functions NullSpace and Transpose. 
This leads to the minimal polynomial g(x) of f. 
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We conclude that 8 has minimal polynomial 1 + x? + x? + x4 + x°. 
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B.4.5 Further Properties 


Let m(x) be the minimal polynomial of an element w of degree m. It follows from Corollary B.33 
that the p” expressions "5! fiw', fie, O<i<m, take on p™ different values. For these 
expressions addition and multiplication can be performed just as in (B.3) and (B.4), where the 
relation m(w) = 0 has to be used to reduce the degree of the outcome to a value less than m It is 
quite easy to check that one obtains a field, that is isomorphic to (Fg[x}/(m(x)), +, 


If m(x) is primitive, one has that the elements 1, x, ..., x’"~) are all different modulo m(x), just as 
the elements 1, w, ..., w?"~2) are all different. See for instance, Example B.6, where the 
primitive element w = | + x has minimal polynomial m(y) = 1+ y* + y*. Table B.2 shows the 
field (Fy[x]/(m(x)), +, 3. 


Let mix) be an reducible polynomial of degree m over a field with p elements and let n 
be a roultiple of me. 
Then mix) divides x" — x. 


Proof: Consider the residue class ring (F,[x]/(m(x)). +, -). This ring is a field with g = p” 
elements by Theorem B.16. The field element <x> is a zero of m(x),_ since 
mO<x>) = <m(x)> = <O0>. It follows from Corollary B.22 (2 = 1) that <x> 1s a zero of 


‘i 


x?" — x,n > 1, By Corollary B.33 we conclude that m(x) divides x?" ~ x. 


Also the converse of Lemma B.34 is true. 





| Theorem B35 
| The polynomial x?" - x is the product of all irreducible, m monic, Pery polyworsials of @ 
| degree dividing n. 


Proof: Let #|n. There are /,(m) irreducible polynomials of degree m over F,,, all of which divide 
GP ey by Lemma _ B.34. The sum of their degrees is m T,(m). Since 
Lunn ML,(m) = p" = degree(x”” —.x) by (B.5), it follows that the irreducible, monic, p-ary 

polynomials of degree 1, | 7, form the complete factorization of x” — x. 


Example B.8 
p=2,n=4, 
13(1) = 2, 1,(2) = 1, 12(4) = 3 (see Section B.3). 


Moy sxx t DO? txt DO te exe ex tl (xt ext) ¢x4/) 
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x (1+ x) (1+x4x2) (Le xex!) (Lexa nt) (lexertex ext) 


Let f(x) be an irreducible polynomial in F [x] of degree m. Let |. Then, a finite field 
with p" elements contains m roots of f(x). 





Proof: By Theorem B.35, f(x) divides x? — x, gq = p”. On the other hand, x4 -x = Tuer, (x — w) 
by Corollary B.23. 


C] 


| Let p bea prime and m € N. Then, the finite field F, is unique, up to isomorphism. 


Proof: Write g = p” and let F, be any finite field of order q.Let f(x) be any irreducible, p-ary 
polynomial of degree m. We shall show that F, is isomorphic to F,,[x]/(f(x)). By Corollary B.36, 
FF, contains m zeros of f(x). Let w be one of these m zeros. Since f(x) is irreducible in F |x], there 
is no lower degree polynomial over F, with w as zero. This implies that the m elements 
1,w,..., w"-' are independent over F,,, thus, any element in F,, can be written as yi, fio, 


fieF,0Ocsism-—l. 


The isomorphism between F,, and F [x] /(f(x)) is now obvious. 





UJ 
F = is (isomorphic to) a subfield of F,« if and only if m divides n, 
Proof: The following assertions are all equivalent; 
1) in|n, 
ii) (p" —1) divides (p" — 1), 
iii) = (xP" ~ x) divides (x’" — x), 
iv) Tock, (x—w) divides T] 2 , (8 — w), 
v) Fm is a subfield of F,.». 
J 


Example B.9 


It follows from Corollary B.38 that F4 contains F,2 as a subfield, while it does not F3 contain as a 
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subfield. From Table B.2 one can easily verify that the elements 0, 1, x° and x'® form a subfield of 
cardinality 2? in (Fa[x]/Ot +27 +1), +). 


B.4.6 Cyclotomic Polynomials 


Consider a finite field Fy of characteristic p. So, q = p™ for some m> 0. By Theorem B.5, every 
element in F, has an order dividing q — t. Let n[(q— 1) and let w be a primitive n-th root of unity 
in Fg. For instance, w = a/¢!", where @ is a primitive element in F,. Let d{n and put n= w™, 
Then 77 is a primitive d-root of unity. Clearly, the d elements 1, 7, ..., 77~!.are a zero of x4 - 1. By 


Theorem B.15, no other element in Fg is a zero of x4 — 1. 





ox) = Nscdlagiet oame\% ~ ). 


If € had order d, dj(q—1), then by Lemma B44 also €? has order d. So, with €a zero of Q(x) 
also its conjugates are zeros of Q(x). It follows from Theorem B.32 that Q(x) is the product of 
some minimal polynomials over F, and thus that Q(x)is a polynomial over F pe 


By Theorem B.21, OM (x) has degree $(d). Since w is a primitive n-th root of unity, it follows that 


x-l= Abs (x-w') = Teck y, éhas order n (x -€) = 


im Tan Teck, has orderd = é) = [Tain OM (x), (B.8) 


2.2) = Ty, Of - 1". 


Proof: Apply the Multiplicative Mobius Inversion Formula (Corollary A.39) to (B.8). 


Example B.10 
QPO(x) = Tags Ot — KON = ee, 2 xl? x 4 1. 


(x!8 1) (x/2~-1) 4] 





This can also be evaluated with Mathematica: 


ie 5 


| “DivisorProduct (€_; a} t= Times ew it /@ ) Divisore(a}) 
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m= 36; Clear([f, x]; 


fd] #2 (xt) 
DivisorProduct[f, n) // Simplify 


he" 4 


or directly with the Mathematica function Cyclotomic: 


Cyclotomic[36, x] 


—_—_—_ a a 


l x" j “* 


If p = 2, one can write QP(x) = x!? +x° +1. 


The expression for Q(x) in Theorem B.39 seems to be independent of the finite field. This is not 
really true, because in the evaluation of that expression the characteristic does play a role. 


All the irreducible factors of Q(x) have the same degree, because all the zeros of Q(x) have the 
same order d. Indeed, by Theorem B.32, each irreducible factor of Q(x) has as degree the 
multiplicative order of p modulo d. 


In particular we have the following theorem. 
Theorem B.40 
The number of primitive, p-ary, monic polynomials of degree at is 
gip™— 
m7 


Proof: A primitive, p-ary polynomial of degree m divides Q'?"-"(x) and this cyclotomic 
polynomial has only factors of this type. The degree of Q'?"~ (x) is O(p’" - 1). 


Example B.11: p = 2 


xO xy = xX 1) = x QM ()QP()QO~WQ(x) 
where 

O'(x) = x+T, 

OW (x) =x? +x 41, 


On) = xt tx 4? +x 41, 
Q(x) = (xt ex 41) (4 +27 +1). 


Indeed, there are @(15)/4 = 2 primitive polynomials of degree 4. See also Example B.6. 
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A way to find all primitive polynomials of degree m over F , is to factor Q'P"- D(x). 


Example B.12 





i (HGRA rae cer Satie ie SES metic 4 act o> 
fo fl 5 gs " ee: at a 4 oes ele ae ee ae 
Le “(L+xex®) a erst fd x5) (1 pens. rye a ee 55, eo 
f (14x42? 4x? +x) (Le +x 7a m1. (Lexexts - ee Rg atts : 
baesiaare ee ae opis paid pacarahde, 31 ct: gris g ie, eee | spl re 


Remark: 


In this chapter we have viewed F,, g = p”and p prime, as an extension field of F ,,however all the 
concepts defined in this chapter can also be generalized to F,[x], So, one may want to count the 
number of irreducible polynomials of degree n in F,[x] or discuss primitive polynomials over Fg, 
etc. We leave it to the reader to verify that all the theorems in this appendix can indeed be 
generalized from F, and Fp» to Fy resp. Fy» simply by replacing p by g and g by q”™. 


Example B.13 


The field Fy can be viewed as the residue class ring Fy[x]/(x? +x +@), where @ is an element in Fy 
satisfying a? +a 41. 
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B.5 Problems 


Problem B.1 
Prove that ({x ER | x7 €Q, x #0}, -) is a group. 


Problem B.2 
Prove that the elements of a reduced residue class system modulo m form a multiplicative group. 


Problem B.3 
Let (G, «) be a group and H a non-empty subset of G. Then (H, +.) is a subgroup of (G,«) if and only if 
h, «hz' €H for every hi, hp € H. 


Problem B.4 
Prove that there are essentially two different groups of order 4 (hint: each element has an order dividing 
4). 


Problem B.5 
Find an element of order 12 in the group (Z}3, x). Which powers of this element have order 12. Answer 
the same question for elements of order 6, 4, 3, 2 and 1. 


Problem B.6 

Let (G, +) denote acommutative group. Let a and b be two elements in G of order m resp. n. 

a) Assume that gcd(m, n) = 1. Show that a+b has order m xn. 

b) Assume no longer that gcd(m, n) = 1. Determine integers s and ¢ such that s | m, t|n, ged(s, t) = 1, and 
Icm[s, t] = lem[m, n] 

c) Construct an element in G of order Icm[m, n]. 


Problem B.7” 
Find the multiplicative inverse of 1 + x? + x? (mod 1 + x? + x°) over GF(2) (hintl: Thm. B.13; hint2). 


Problem B.8” 
How many binary, irreducible polynomials (hintl: Def.B.15; hint2: Thm. B.17) are there of degree 7 and 
8? 


Problem B.9 
Make a log table of GF(2)[x] /(1 + x? + x°) (hint: x is a primitive element). Use this table to express 
x!0 4 x79 as power of x. 


Problem B.10 

Let a € GF(qg) have order m, m < q— 1. What is the probability that a random non-zero element 8 € GF(q) 
has an order n dividing m? Give an upperbound on this probability. 

Construct an element of order Icm[m, n] (hint: see Problem B.6). 

(In fact, this method leads to an efficient to find a primitive element in a finite field. It is due to Gauss.) 


Problem B.11 
Which subfields are contained in GF(625)? Let a be a primitive element in GF(625). Which powers of a@ 


constitute the various subfields of GF(625)? (Hint: Cor. B.38.) 


Problem B.12 
Prove that over GF(2): Cet yytt = ttl gy y + xe yet, 
(Hint: use Cor. B.28.) 
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Problem B.13 
How many binary, primitive polynomials are there of degree 10? (Hint: Thm. B.40.) 


Problem B.14 
Determine the binary, cyclotomic polynomial Q?!(x) (hint: Thm. B.39). What is the degree of the 
binary factors of Q?!(x). 


Problem B.15 

What is the degree of a binary, minimal polynomial of a primitive 17-th root of unity (hint: Thm. B.32)? 
How many such polynomials do exist? Prove that each is its own reciprocal. Determine these polynomials 
explicitly. 


Problem B.16 
The trace mapping Tr is defined on GF(p), p prime, by 


a 
Trix) = xt xP +x? ces ie 


a) Prove that Tr(x) € GF(p), forevery x € GF(p”) (hint: Thm. B.29). So, Tr is a mapping from GF(p”)to 


GF(p). 

b) Prove that Tr is a linear mapping (hint: Cor. B.28). 

c) Prove that Tr takes on every value in GF(p) equally often (hint: use Theorem B.15). 

d) Replace p by g in this problem, where g is a prime power, and verify the same statements. 


Appendix C Relevant Famous Mathematicians 


Euclid of Alexandria 





Born: about 365 BC in Alexandria, Egypt 
Died: about 300 BC 


Euclid is the most prominent mathematician of antiquity best known for his treatise on geometry 
The Elements. The long lasting nature of The Elements must make Euclid the leading mathematics 
teacher of all time. 


Little 1s known of Euclid's life except that he taught at Alexandria in Egypt. The picture of Euclid 
above is from the 18th Century and must be regarded as entirely fanciful. 


Euclid's most famous work is his treatise on geometry The Elements. The book was a compilation 
of geometrical knowledge that became the centre of mathematical teaching for 2000 years. 
Probably no results in The Elements were first proved by Euclid but the organization of the 
material and its exposition are certainly due to him. 


The Elements begins with definitions and axioms, including the famous fifth, or parallel, postulate 
that one and only one line can be drawn through a point parallel to a given line. Euclid's decision 
to make this an axiom led to Euclidean geometry. It was not until the 19th century that this axiom 
was dropped and non-euclidean geometries were studied. 


Zeno of Sidon, about 250 years after Euclid wrote: ,, The Elements, seems to have been the first to 
show that Euclid's propositions were not deduced from the axioms alone, and Euclid does make 
other subtle assumptions." 


The Elements is divided into 13 books. Books 1-6, plane geometry: books 7-9, number theory: 
book 10, 's theory of irrational numbers: books 11-13, solid geometry. The book ends with a 
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discussion of the properties of the five regular polyhedra and a proof that there are precisely five. 
Euclid's Elements is remarkable for the clarity with which the theorems are stated and proved. The 
standard of rigour was to become a goal for the inventors of the calculus centuries later. 


More than one thousand editions of The Elements have been published since it was first printed in 
1482. 


Euclid also wrote Data (with 94 propositions), On Divisions, Optics and Phaenomena which have 
survived. His other books Surface Loci, Porisms, Conics, Book of Fallacies and Elements of Music 
have all been lost. 


Euclid may not have been a first class mathematician but the long lasting nature ofThe Elements 
must make him the leading mathematics teacher of antiquity. 


The source of this information is the following webpage: 


http://www-history.mcs.st-and.ac.uk/history/Mathematicians/Euclid.html 


Leonhard Euler 





Born: 15 April 1707 in Basel, Switzerland 
Died: 18 Sept 1783 in St Petersburg, Russia 


Euler made large bounds in modern analytic geometry and trigonometry. He made decisive and 
formative contributions to geometry, calculus and number theory. 


Euler's father wanted his son to follow him into the church and sent him to the University of Basel 
to prepare for the ministry. However geometry soon became his favorite subject. Euler obtained 
his father's consent to change to mathematics after Johann Bernoulli had used his persuasion. 

Johann Bernoulli became his teacher. 


He joined the St. Petersburg Academy of Science in 1727, two years after it was founded by 
Catherine I the wife of Peter the Great. Euler served as a medical lieutenant in the Russian navy 
from 1727 to 1730. In St Petersburg he lived with Daniel Bernoulli. He became professor of 
physics at the academy in 1730 and professor of mathematics in 1733. He married and left Johann 
Bernoulli's house in 1733. He had 13 children altogether of which 5 survived their infancy. He 
claimed that he made some of his greatest discoveries while holding a baby on his arm with other 
children playing round his feet. 
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The publication of many articles and his book Mechanica (1736-37), which extensively presented 
Newtonian dynamics in the form of mathematical analysis for the first time, started Euler on the 
way to major mathematical work. 


In 1741, at the invitation of Frederick the Great, Euler joined the Berlin Academy of Science, 
where he remained for 25 years. Even while in Berlin he received part of his salary from Russia 
and never got on well with Frederick. During his time in Berlin, he wrote over 200 articles, three 
books on mathematical analysis, and a popular scientific publication Letters to a Princess of 
Germany (3 vols., 1768-72). 


In 1766 Euler returned to Russia. He had been arguing with Frederick the Great over academic 
freedom and Frederick was greatly angered at his departure. Euler lost the sight of his right eye at 
the age of 31 and soon after his return to St Petersburg he became almost entirely blind after a 
cataract operation. Because of his remarkable memory was able to continue with his work on 
optics, algebra, and lunar motion. Amazingly after 1765 (when Euler was 58) he produced almost 
half his works despite being totally blind. 


After his death in 1783 the St. Petersburg Academy continued to publish Euler's unpublished work 
for nearly 50 more years. 


Euler made large bounds in modern analytic geometry and trigonometry. He made decisive and 
formative contributions to geometry, calculus and number theory. In number theory he did much 
work in correspondence with Goldbach. He integrated Leibniz's differential calculus and Newton's 
method of fluxions into mathematical analysis. In number theory he stated the prime number 
theorem and the law of biquadratic reciprocity. 


He was the most prolific writer of mathematics of all time. His complete works contains 886 
books and papers. 


We owe to him the notations f(x) (1734), e for the base of natural logs (1727), 1 for the square root 
of -1 (1777), 2 for pi, >for summation (1755) etc. He also introduced beta and gamma functions, 
integrating factors for differential equations etc. 


He studied continuum mechanics, lunar theory with Clairaut, the three body problem, elasticity, 
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acoustics, the wave theory of light, hydraulics, music etc. He laid the foundation of analytical 
mechanics, especially in his Theory ofthe Motions of Rigid Bodies (1765). 


The source of this information is the following webpage: 


http://www-history.mcs.st-and.ac.uk/history/Mathematicians/Euler.html 


Pierre de Fermat 





Born: 17 Aug 1601 in Beaumont-de-Lomagne, France 


Died: 12 Jan 1665 in Castres, France 


Pierre Fermat's father was a wealthy leather merchant and second consul of Beaumont-de- 
Lomagne. Pierre had a brother and two sisters and was almost certainly brought up in the town of 
his birth. Although there is little evidence concerning his school education it must have been at the 
local Franciscan monastery. 


He attended the University of Toulouse before moving to Bordeau in the second half of the 1620s. 
In Bordeau he began his first serious mathematical researches and in 1629 he gave a copy of his 
restoration of Apollonius's Plane loci to one of the mathematicians there. Certainly in Bordeau he 
was in contact with Beaugrand and during this time he produced important work on maxima and 
minima which he gave to Etienne d'Espagnet who clearly shared mathematical interests with 
Fermat. 


From Bordeau Fermat went to Orléans where he studied law at the University. He received a 
degree in civil law and he purchased the offices of councillor at the parliament in Toulouse. So by 
1631 Fermat was a lawyer and government official in Toulouse and because of the office he now 
held he became entitled to change his name from Pierre Fermat to Pierre de Fermat. 


For the remainder of his life he lived in Toulouse but as well as working there he also worked in 
his home town of Beaumont-de-Lomagne and a nearby town of Castres. From his appointment on 
14 May 1631 Fermat worked in the lower chamber of the parliament but on 16 January 1638 he 
was appointed to a higher chamber, then in 1652 he was promoted to the highest level at the 
criminal court. Still further promotions seem to indicate a fairly meteoric mse through the 
profession but promotion was done mostly on seniority and the plague struck the region in the 
early 1650s meaning that many of the older men died. Fermat himself was struck down by the 
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plague and in 1653 his death was wrongly reported, then corrected: 


I informed you earlier of the death of Fermat. He is alive, and we no longer fear for his health, 
even though we had counted him among the dead a short time ago. 


The following report, made to Colbert the leading figure in France at the time, has a ring of truth: 


Fermat, a man of great erudition, has contact with men of learning everywhere. But he is rather 
preoccupied, he does not report cases well and is confused. 


Of course Fermat was preoccupied with mathematics. He kept his mathematical friendship with 
Beaugrand after he moved to Toulouse but there he gained a new mathematical friend in Carcavi. 
Fermat met Carcavi in a professional capacity since both were councillors in Toulouse but they 
both shared a love of mathematics and Fermat told Carcavi about his mathematical discoveries. 


In 1636 Carcavi went to Paris as royal librarian and made contact with Mersenne and his group. 
Mersenne's interest was aroused by Carcavi's descriptions of Fermat's discoveries on falling 
bodies, and he wrote to Fermat. Fermat replied on 26 April 1636 and, in addition to telling 
Mersenne about errors which he believed that Galileo had made in his description of free fall, he 
also told Mersenne about his work on spirals and his restoration of Apollonius's Plane loci. His 
work on spirals had been motivated by considering the path of free falling bodies and he had used 
methods generalised from Archimedes’ work On spirals to compute areas under the spirals. In 
addition Fermat wrote: 


I have also found many sorts of analyses for diverse problems, numerical as well as geometrical, 
for the solution of which Viéte's analysis could not have sufficed. I will share all of this with you 
whenever you wish and do so without any ambition, from which I am more exempt and more 
distant than any man in the world. 


It is somewhat ironical that this initial contact with Fermat and the scientific community came 
through his study of free fall since Fermat had little interest in physical applications of 
mathematics. Even with his results on free fall he was much more interested in proving 
geometrical theorems than in their relation to the real world. This first letter did however contain 
two problems on maxima which Fermat asked Mersenne to pass on to the Paris mathematicians 
and this was to be the typical style of Fermat's letters, he would challenge others to find results 
which he had already obtained. 
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Roberval and Mersenne found that Fermat's problems in this first, and subsequent, letters were 
extremely difficult and usually not soluble using current techniques. They asked him to divulge his 
methods and Fermat sent Method for determining Maxima and Minima and Tangents to Curved 
Lines, his restored text of Apollonius's Plane loci and his algebraic approach to geometry 
Introduction to Plane and Solid Loci to the Paris mathematicians. 


His reputation as one of the leading mathematicians in the world came quickly but attempts to get 
his work published failed mainly because Fermat never really wanted to put his work into a 
polished form. However some of his methods were published, for example Hérigone added a 
supplement containing Fermat's methods of maxima and minima to his major work Cursus 
mathematicus. The widening correspondence between Fermat and other mathematicians did not 
find universal praise. Frenicle de Bessy became annoyed at Fermat's problems which to him were 
impossible. He wrote angrily to Fermat but although Fermat gave more details in his reply, 
Frenicle de Bessy felt that Fermat was almost teasing him. 


However Fermat soon became engaged in a controversy with a more major mathematician than 
Frenicle de Bessy. Having been sent a copy of Descartes' La Dioptrique by Beaugrand, Fermat 
paid it little attention since he was in the middle of a correspondence with Roberval and Etienne 
Pascal over methods of integration and using them to find centres of gravity. Mersenne asked him 
to give an opinion on La Dioptrique which Fermat did describing it as 


groping about in the shadows. 


He claimed that Descartes had not correctly deduced his law of refraction since it was inherent in 
his assumptions. To say that Descartes was not pleased is an understatement. Descartes soon found 
reason to feel even more angry since he viewed Fermat's work on maxima, minima and tangents as 
reducing the importance of his own work La Géométrie which Descartes was most proud of and 
which he sought to show that his Discours de la method alone could give. 


Descartes attacked Fermat's method of maxima, minima and tangents. Roberval and Etienne 
Pascal became involved in the argument and eventually so did Desargues who Descartes asked to 
act as a referee. Fermat proved correct and eventually Descartes admitted this writing:- 


... seeing the last method that you use for finding tangents to curved lines, I can reply to it in no 
other way than to say that it is very good and that, if you had explained it in this manner at the 
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outset, I would have not contradicted it at all. 


Did this end the matter and increase Fermat's standing? Not at all since Descartes tried to damage 
Fermat's reputation. For example, although he wrote to Fermat praising his work on determining 
the tangent to a cycloid (which is indeed correct), Descartes wrote to Mersenne claiming that it 
was incorrect and saying that Fermat was inadequate as a mathematician and a thinker. Descartes 
was important and respected and thus was able to severely damage Fermat's reputation. 


The period from 1643 to 1654 was one when Fermat was out of touch with his scientific 
colleagues in Paris. There are a number of reasons for this. Firstly pressure of work kept him from 
devoting so much time to mathematics. Secondly the Fronde, a civil war in France, took place and 
from 1648 Toulouse was greatly affected. Finally there was the plague of 1651 which must have 
had great consequences both on life in Toulouse and of course its near fatal consequences on 
Fermat himself. However it was during this time that Fermat worked on number theory. 


Fermat is best remembered for this work in number theory, in particular for Fermat's Last 
Theorem. This theorem states that x? + y" =z” has no non-zero integer solutions for x, y and z 
when n > 2. Fermat wrote, in the margin of Bachet's translation of Diophantus's Arithmetica 


I have discovered a truly remarkable proof which this margin is too small to contain. 


These marginal notes only became known after Fermat's son Samuel published an edition of 
Bachet's translation of Diophantus's Arithmetica with his father's notes in 1670. 


It is now believed that Fermat's ‘proof was wrong although it 1s impossible to be completely 
certain. The truth of Fermat's assertion was proved in June 1993 by the British mathematician 
Andrew Wiles, but Wiles withdrew the claim to have a proof when problems emerged later in 
1993. In November 1994 Wiles again claimed to have a correct proof which has now been 
accepted. 


Unsuccessful attempts to prove the theorem over a 300 year period led to the discovery of 
commutative ring theory and a wealth of other mathematical discoveries. 


Fermat's correspondence with the Paris mathematicians restarted in 1654 when Blaise Pascal, 
Etienne Pascal's son, wrote to him to ask for confirmation about his ideas on probability. Blaise 
Pascal knew of Fermat through his father, who had died three years before, and was well aware of 
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Format's outstanding mathematical abilities. Their short correspondence set up the theory of 
probability and from this they are now regarded as joint founders of the subject. Fermat however, 
feeling his isolation and still wanting to adopt his old style of challenging mathematicians, tried to 
change the topic from probability to number theory. Pascal was not interested but Fermat, not 
realising this, wrote to Carcavi saying: 


I am delighted to have had opinions conforming to those of M Pascal, for I have infinite esteem for 
his genius... the two of you may undertake that publication, of which I consent to your being the 
masters, you may clarify or supplement whatever seems too concise and relieve me of a burden 


that my duties prevent me from taking on. 


However Pascal was certainly not going to edit Fermat's work and after this flash of desire to have 
his work published Fermat again gave up the idea. He went further than ever with his challenge 
problems however: 


Two mathematical problems posed as insoluble to French, English, Dutch and all mathematicians 


of Europe by Monsieur de Fermat, Councillor of the King in the Parliament of Toulouse. 


His problems did not prompt too much interest as most mathematicians seemed to think that 
number theory was not an important topic. The second of the two problems, namely to find all 
solutions of Nx*+1=y for N nota square, was however solved by Wallis and Brouncker and 
they developed continued fractions in their solution. Brouncker produced rational solutions which 
led to arguments. Frenicle de Bessy was perhaps the only mathematician at that time who was 
really interested in number theory but he did not have sufficient mathematical talents to allow him 
to make a significant contribution. 


Fermat posed further problems, namely that the sum of two cubes cannot be a cube (a special case 
of Fermat's Last Theorem which may indicate that by this time Fermat realised that his proof of the 
general result was incorrect), that there are exactly two integer solutions of x* +4 = y and that the 
equation x*+2=y°’ has only one integer solution. He posed problems directly to the English. 
Everyone failed to see that Fermat had been hoping his specific problems would lead them to 
discover, as he had done, deeper theoretical results. 


Around this time one of Descartes’ students was collecting his correspondence for publication and 
he turned to Fermat for help with the Fermat - Descartes correspondence. This led Fermat to look 
again at the arguments he had used 20 years before and he looked again at his objections to 
Descartes’ optics. In particular he had been unhappy with Descartes’ description of refraction of 
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light and he now settled on a principle which did in fact yield the sine law of refraction that Snell 
and Descartes had proposed. However Fermat had now deduced it from a fundamental property 
that he proposed, namely that light always follows the shortest possible path. Fermat's principle, 
now one of the most basic properties of optics, did not find favour with mathematicians at the 
time. 


In 1656 Fermat had started a correspondence with Huygens. This grew out of Huygens interest in 
probability and the correspondence was soon manipulated by Fermat onto topics of number theory. 

This topic did not interest Huygens but Fermat tried hard and in New Account of Discoveries in the 
Science of Numbers sent to Huygens via Carcavi in 1659, he revealed more of his methods than he 
had done to others. 


Fermat described his method of infinite descent and gave an example on how it could be used to 
prove that every number of the form 4+1 could be written as the sum of two squares. For 
suppose some number of the form 4+1 could not be written as the sum of two squares. Then 
there is a smaller number of the form 4 +1 which cannot be written as the sum of two squares. 
Continuing the argument will lead to a contradiction. What Fermat failed to explain in this letter is 
how the smaller number is constructed from the larger. One assumes that Fermat did know how to 
make this step but again his failure to disclose the method made mathematicians lose interest. It 
was not until Euler took up these problems that the missing steps were filled in. 


Fermat is described as 


Secretive and taciturn, he did not like to talk about himselfand was loath to reveal too much about 
his thinking. ... His thought, however original or novel, operated within a range of possibilities 


limited by that [1600-1650] time and that [France] place. 
Carl B Boyer says: 


Recognition of the significance of Fermat's work in analysis was tardy, in part because he adhered 
to the system of mathematical symbols devised by Francois Viéte, notations that Descartes's 
Géométrie had rendered largely obsolete. The handicap imposed by the awkward notations 
operated less severely in Fermat's favourite field of study, the theory of numbers, but here, 
unfortunately, he found no correspondent to share his enthusiasm. 


The source of this information is the following webpage: 


http://www-history.mcs.st-and.ac.uk/history/Mathematicians/Fermat.html 
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Evariste Galois 





Born: 25 Oct 1811 in Bourg La Reine (near Paris), France 
Died: 31 May 1832 in Paris, France 


Famous for his contributions to group theory, Evariste Galois produced a method of determining 
when a general equation could be solved by radicals. 


Galois' father Nicholas Gabriel Galois and his mother Adelaide Marie Demante were both 
intelligent and well educated in philosophy, classical literature and religion. However there is no 
sign of any mathematical ability in any of Galois' family. His mother served as Galois' sole teacher 
until he was 12 years old. She taught him Greek, Latin and religion where she imparted her own 
scepticism to her son. Galois' father was an important man in the community and in 1815 he was 

elected mayor of Bourg-la-Reine. 


The starting point of the historical events which were to play a major role in Galois’ life is surely 
the storming of the Bastille on 14 July 1789. From this point the monarchy of Louis 16th was in 
major difficulties as the majority of Frenchmen composed their differences and united behind an 
attempt to destroy the privileged establishment of the church and the state. 


Despite attempts at compromise Louis 16th was tried after attempting to flee the country. 
Following the execution of the King on 21 January 1793 there followed a reign of terror with 
many political trials. By the end of 1793 there were 4595 political prisoners held in Paris. However 
France began to have better times as their armies, under the command of Napoleon Bonaparte, 
won victory after victory. 


Napoleon became Ist Consul in 1800 and then Emperor in 1804. The French armies continued a 
conquest of Europe while Napoleon's power became more and more secure. In 1811 Napoleon was 
at the height of his power. By 1815 Napoleon's rule was over. The failed Russian campaign of 
1812 was followed by defeats, the Allies entering Paris on 31 March 1814. Napoleon abdicated on 
6 April and Louis XVIII was installed as King by the Allies. The year 1815 saw the famous one 
hundred days. Napoleon entered Paris on March 20, was defeated at Waterloo on 18 June and 
abdicated for the second time on 22 June. Louis XVII was reinstated as King but died in 
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September 1824, Charles X becoming the new King. 


Galois was by this time at school. He had enrolled at the Lycée of Louis-le-Grand as a boarder in 
the 4 th class on 6 October 1823. Even during his first term there was a minor rebellion and 40 
pupils were expelled from the school. Galois was not involved and during 1824-25 his school 
record is good and he received several prizes. However in 1826 Galois was asked to repeat the 
year because his work in rhetoric was not up to the required standard. 


February 1827 was a turning point in Galois’ life. He enrolled in his first mathematics class, the 
class of M. Vernier. He quickly became absorbed in mathematics and his director of studies wrote: 


It is the passion for mathematics which dominates him, I think it would he best for him if his 
parents would allow him to study nothing but this, he is wasting his time here and does nothing 


but torment his teachers and overwhelm himself with punishments. 


Galois’ school reports began to describe him as singular, bizarre, original and closed . It 1s 
interesting that perhaps the most original mathematician who ever lived should be criticised for 
being original. M. Vernier reported however 


Intelligence, marked progress but not enough method. 


In 1828 Galois took the examination of the Ecole Polytechnique but failed. It was the leading 
University of Paris and Galois must have wished to enter it for academic reasons. However, he 
also wished to enter the this school because of the strong political movements that existed among 
its students, since Galois followed his parents example in being an ardent republican. 


Back at Louis-le-Grand, Galois enrolled in the mathematics class of Louis Richard. However he 
worked more and more on his own researches and less and less on his schoolwork. He studied 
Legendre's Géométrie and the treatises of Lagrange. As Richard was to report 


This student works only in the highest realms of mathematics. 


In April 1829 Galois had his first mathematics paper published on continued fractions in the 
Annales de mathématiques . On 25 May and 1 June he submitted articles on the algebraic solution 
of equations to the Académie des Sciences. Cauchy was appointed as referee of Galois’ paper. 
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Tragedy was to strike Galois for on 2 July 1829 his father committed suicide. The priest of Bourg- 
la-Reine forged Mayor Galois' name on malicious forged epigrams directed at Galois’ own 
relatives, Galois’ father was a good natured man and the scandal that ensued was more than he 
could stand. He hanged himself in his Paris apartment only a few steps from Louis-le-Grand where 
his son was studying. Galois was deeply affected by his father's death and it greatly influenced the 
direction his life was to take. 


A few weeks after his father's death, Galois presented himself for examination for entry to the 

Ecole Polytechnique for the second time. For the second time he failed, perhaps partly because he 

took it under the worst possible circumstances so soon after his father's death, partly because he 

was never good at communicating his deep mathematical ideas. Galois therefore resigned himself 
to enter the Ecole Normale, which was an annex to Louis-le-Grand, and to do so he had to take his 
Baccalaureate examinations, something he could have avoided by entering the Ecole 
Polytechnique. 


He passed, receiving his degree on 29 December 1829. His examiner in mathematics reported: 


This pupil is sometimes obscure in expressing his ideas, but he is intelligent and shows a 
remarkable spirit of research. 


His literature examiner reported: 


This is the only student who has answered me poorly, he knows absolutely nothing. I was told that 
this student has an extraordinary capacity for mathematics. This astonishes me greatly, for, after 
his examination, I believed him to have but little intelligence. 


Galois sent Cauchy further work on the theory of equations, but then learned from Bulletin de 
Férussac of a posthumous article by Abel which overlapped with a part of his work. Galois then 
took Cauchy's advice and submitted a new article On the condition that an equation be soluble by 
radicals in February 1830. The paper was sent to Fourier, the secretary of the Academy, to be 
considered for the Grand Prize in mathematics. Fourier died in April 1830 and Galois’ paper was 
never subsequently found and so never considered for the prize. 


Galois, after reading Abel and Jacobi's work, worked on the theory of elliptic functions and abelian 
integrals. With support from Jacques Sturm, he published three papers in Bulletin de Férussac in 
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April 1830. However, he learnt in June that the prize of the Academy would be awarded the Prize 
jointly to Abel (posthumously) and to Jacobi, his own work never having been considered. 


July 1830 saw a revolution. Charles 10th fled France. There was rioting in the streets of Paris and 
the director of Ecole Normale, M. Guigniault, locked the students in to avoid them taking part. 
Galois tried to scale the wall to join the rioting but failed. In December 1830 M. Guigniault wrote 
newspaper articles attacking the students and Galois wrote a reply in the Gazette des Ecoles , 
attacking M. Guigniault for his actions in locking the students into the school. For this letter 
Galois was expelled and he joined the Artillery of the National Guard, a Republican branch of the 
militia. On 31 December 1830 the Artillery of the National Guard was abolished by Royal Decree 
since the new King Louis-Phillipe felt it was a threat to the throne. 


Two minor publications, an abstract in Annales de Gergonne (December 1830) and a letter on the 
teaching of science in the Gazette des Ecoles (2 January 1831) were the last publications during 
his life. In January 1831 Galois attempted to return to mathematics. He organised some 
mathematics classes in higher algebra which attracted 40 students to the first meeting but after that 
the numbers quickly fell off. Galois was invited by Poisson to submit a third version of his memoir 
on equation to the Academy and he did so on 17 January. 


On 18 April Sophie Germain wrote a letter to her friend the mathematician Libri which describes 
Galois’ situation. 


. the death of M. Fourier, have been too much for this student Galois who, in spite of his 
impertinence, showed signs of a clever disposition. All this has done so much that he has been 
expelled form Ecole Normale. He is without money... They say he will go completely mad. I fear 
this is true. 


Late in 1830 19 officers from the Artillery of the National Guard were arrested and charged with 
conspiracy to overthrow the government. They were acquitted and on 9 May 1831 200 republicans 
gathered for a dinner to celebrate the acquittal. During the dinner Galois raised his glass and with 
an open dagger in his hand appeared to make threats against the King, Louis-Phillipe. After the 
dinner Galois was arrested and held in Sainte-Pélagie prison. At his trial on 15 June his defence 
lawyer claimed that Galois had said 


To Louis-Phillipe, if he betrays 
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but the last words had been drowned by the noise. Galois, rather surprisingly since he essentially 
repeated the threat from the dock, was acquitted. 


The 14th July was Bastille Day and Galois was arrested again. He was wearing the uniform of the 
Artillery of the National Guard, which was illegal. He was also carrying a loaded rifle, several 
pistols and a dagger. Galois was sent back to Sainte-Pélagie prison. While in prison he received a 
rejection of his memoir. Poisson had reported that:- 


His argument is neither sufficiently clear nor sufficiently developed to allow us to judge its rigour. 


He did, however, encourage Galois to publish a more complete account of his work. While in 
Sainte-Pélagie prison Galois attempted to commit suicide by stabbing himself with a dagger but 
the other prisoners prevented him. While drunk in prison he poured out his soul 


Do you know what I lack my friend? I confide it only to you: it is someone whom I can love and 
love only in spirit. I have lost my father and no one has ever replaced him, do you hear me...? 


In March 1832 a cholera epidemic swept Paris and prisoners, including Galois, were transferred to 
the pension Sieur Faultrier. There he apparently fell in love with Stephanie-Felice du Motel, the 
daughter of the resident physician. After he was released on 29 April Galois exchanged letters with 
Stephanie, and it is clear that she tried to distance herself from the affair. 


The name Stephanie appears several times as a marginal note in one of Galois' manuscripts. 


Galois fought a duel with Perscheux d'Herbinville on 30 May, the reason for the duel not being 
clear but certainly linked with Stephanie. 


You can see a note in the margin of the manuscript that Galois wrote the night before the duel. It 
reads 


There is something to complete in this demonstration. I do not have the time. (Author's note). 


It is this which has led to the legend that he spent his last night writing out all he knew about group 
theory. This story appears to have been exaggerated. 
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Galois was wounded in the duel and was abandoned by d'Herbinville and his own seconds and 
found by a peasant. He died in Cochin hospital on 31 May and his funeral was held on 2 June. It 
was the focus for a Republican rally and riots followed which lasted for several days. 


Galois' brother and his friend Chevalier copied his mathematical papers and sent them to Gauss, 
Jacobi and others. It had been Galois' wish that Jacobi and Gauss should give their opinions on his 
work. No record exists of any comment these men made. However the papers reached Liouville 
who, in September 1843, announced to the Academy that he had found in Galois’ papers a concise 
solution 


..as correct as it is deep of this lovely problem: Given an irreducible equation of prime degree, 


decide whether or not it is soluble by radicals. 


Liouville published these papers of Galois in his Journal in 1846. 
The source of this information is the following webpage: 


http://www-history.mcs.st-and.ac.uk/history/Mathematicians/Galois.html 


Johann Carl Friedrich Gauss 





Born: 30 April 1777 in Brunswick, Duchy of Brunswick (now Germany) 
Died: 23 Feb 1855 in Gottingen, Hanover (now Germany) 


Carl Friedrich Gauss worked in a wide variety of fields in both mathematics and physics 
incuding number theory, analysis, differential geometry, geodesy, magnetism, astronomy and 
optics. His work has had an immense influence in many areas. 


At the age of seven, Carl Friedrich started elementary school, and his potential was noticed almost 
immediately. His teacher, Biittner, and his assistant, Martin Bartels, were amazed when Gauss 
summed the integers from | to 100 instantly by spotting that the sum was 50 pairs of numbers each 
pair summing to 101. 
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In 1788 Gauss began his education at the Gymnasium with the help of Bittner and Bartels, where 
he learnt High German and Latin. After receiving a stipend from the Duke of Brunswick- 
Wolfenbittel, Gauss entered Brunswick Collegium Carolinum in 1792. At the academy Gauss 
independently discovered Bode's law, the binomial theorem and the arithmetic- geometric mean, 
as well as the law of quadratic reciprocity and the prime number theorem. 


In 1795 Gauss left Brunswick to study at Gottingen University. Gauss's teacher there was 
Kaestner, whom Gauss often ridiculed. His only known friend amongst the students was Farkas 
Bolyai. They met in 1799 and corresponded with each other for many years. 


Gauss left Gottingen in 1798 without a diploma, but by this time he had made one of his most 
important discoveries - the construction of a regular 17-gon by ruler and compasses This was the 
most major advance in this field since the time of Greek mathematics and was published as 
Section VII of Gauss's famous work, Disquisitiones Arithmeticae. 


Gauss returned to Brunswick where he received a degree in 1799. After the Duke of Brunswick 
had agreed to continue Gauss's stipend, he requested that Gauss submit a doctoral dissertation to 
the University of Helmstedt. He already knew Pfaff, who was chosen to be his advisor. Gauss's 
dissertation was a discussion of the fundamental theorem of algebra. 


With his stipend to support him, Gauss did not need to find a job so devoted himself to research. 
He published the book Disquisitiones Arithmeticae in the summer of 1801. There were seven 
sections, all but the last section, referred to above, being devoted to number theory. 


In June 1801, Zach, an astronomer whom Gauss had come to know two or three years previously, 
published the orbital positions of Ceres, a new ‘small planet’ which was discovered by G Piazzi, an 
Italian astronomer on | January, 1801. Unfortunately, Piazzi had only been able to observe 9 
degrees of its orbit before it disappeared behind the Sun. Zach published several predictions of its 
position, including one by Gauss which differed greatly from the others. When Ceres was 
rediscovered by Zach on 7 December 1801 it was almost exactly where Gauss had predicted. 
Although he did not disclose his methods at the time, Gauss had used his least squares 
approximation method. 


In June 1802 Gauss visited Olbers who had discovered Pallas in March of that year and Gauss 
investigated its orbit. Olbers requested that Gauss be made director of the proposed new 
observatory in Gottingen, but no action was taken. Gauss began corresponding with Bessel, whom 
he did not meet until 1825, and with Sophie Germain. 
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Gauss married Johanna Ostoff on 9 October, 1805. Despite having a happy personal life for the 
first time, his benefactor, the Duke of Brunswick, was killed fighting for the Prussian army. In 
1807 Gauss left Brunswick to take up the position of director of the Géttingen observatory. 


Gauss arrived in GOttingen in late 1807. In 1808 his father died, and a year later Gauss's wife 
Johanna died after giving birth to their second son, who was to die soon after her. Gauss was 
shattered and wrote to Olbers asking him give him a home for a few weeks, 


to gather new strength in the arms of your friendship - strength for a life which is only valuable 
because it belongs to my three small children. 


Gauss was married for a second time the next year, to Minna the best friend of Johanna, and 
although they had three children, this marriage seemed to be one of convenience for Gauss. 


Gauss's work never seemed to suffer from his personal tragedy. He published his second book, 
Theoria motus corporum coelestium in sectionibus conicis Solem ambientium, in 1809, a major 
two volume treatise on the motion of celestial bodies. In the first volume he discussed differential 
equations, conic sections and elliptic orbits, while in the second volume, the main part of the work, 
he showed how to estimate and then to refine the estimation of a planet's orbit. Gauss's 
contributions to theoretical astronomy stopped after 1817, although he went on making 
observations until the age of 70. 


Much of Gauss's time was spent on a new observatory, completed in 1816, but he still found the 
time to work on other subjects. His publications during this time include Disquisitiones generales 
circa seriem infinitam, a rigorous treatment of series and an introduction of the hypergeometric 
function, Methodus nova integralium valores per approximationem inveniendi, a practical essay 
on approximate integration, Bestimmung der Genauigkeit der Beobachtungen, a discussion of 
Statistical estimators, and Theoria attractionis corporum_ sphaeroidicorum  ellipticorum 
homogeneorum methodus nova tractata. The latter work was inspired by geodesic problems and 
was principally concerned with potential theory. In fact, Gauss found himself more and more 
interested in geodesy in the 1820's. 


Gauss had been asked in 1818 to carry out a geodesic survey of the state of Hanover to link up 
with the existing Danish grid. Gauss was pleased to accept and took personal charge of the survey, 
making measurements during the day and reducing them at night, using his extraordinary mental 
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capacity for calculations. He regularly wrote to Schumacher, Olbers and Bessel, reporting on his 
progress and discussing problems. 


Because of the survey, Gauss invented the heliotrope which worked by reflecting the Sun's rays 
using a design of mirrors and a small telescope. However, inaccurate base lines were used for the 
survey and an unsatisfactory network of triangles. Gauss often wondered if he would have been 
better advised to have pursued some other occupation but he published over 70 papers between 
1820 and 1830. 


In 1822 Gauss won the Copenhagen University Prize with Theoria attractionis... together with the 
idea of mapping one surface onto another so that the two are similar in their smallest parts . This 
paper was published in 1825 and led to the much later publication of Untersuchungen iiber 
Gegenstinde der Hdheren Geoddsie (1843 and 1846). The paper Theoria combinationis 
observationum erroribus minimis obnoxiae (1823), with its supplement (1828), was devoted to 
mathematical statistics, in particular to the least squares method. 


From the early 1800's Gauss had an interest in the question of the possible existence of a non- 
Euclidean geometry. He discussed this topic at length with Farkas Bolyai and in his 
correspondence with Gerling and Schumacher. In a book review in 1816 he discussed proofs 
which deduced the axiom of parallels from the other Euclidean axioms, suggesting that he 
believed in the existence of non-Euclidean geometry, although he was rather vague. Gauss 
confided in Schumacher, telling him that he believed his reputation would suffer if he admitted in 
public that he believed in the existence of such a geometry. 


In 1831 Farkas Bolyai sent to Gauss his son Janos Bolyai's work on the subject. Gauss replied 


to praise it would mean to praise myself. 


Again, a decade later, when he was informed of Lobachevsky's work on the subject, he praised its 
"genuinely geometric" character, while in a letter to Schumacher in 1846, states that he 


had the same convictions for 54 years 


indicating that he had known of the existence of a non-Euclidean geometry since he was 15 years 
of age (this seems unlikely). 
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Gauss had a major interest in differential geometry, and published many papers on the subject. 
Disquisitiones generales circa superficies curva (1828) was his most renowned work in this field. 
In fact, this paper rose from his geodesic interests, but it contained such geometrical ideas as 
Gaussian curvature. The paper also includes Gauss's famous theorema egregrium: 


If an area in E* can be developed (i.e. mapped isometrically) into another area of E*,the values of 
the Gaussian curvatures are identical in corresponding points. 


The period 1817-1832 was a particularly distressing time for Gauss. He took in his sick mother in 
1817, who stayed until her death in 1839, while he was arguing with his wife and her family about 
whether they should go to Berlin. He had been offered a position at Berlin University and Minna 
and her family were keen to move there. Gauss, however, never liked change and decided to stay 
in Gottingen. In 1831 Gauss's second wife died after a long illness. 


In 1831, Wilhelm Weber arrived in Gottingen as physics professor filling Tobias Mayer's chair. 
Gauss had known Weber since 1828 and supported his appointment. Gauss had worked on physics 
before 1831, publishing Uber ein neues allgemeines Grundgesetz der Mechanik, which contained 
the principle of least constraint, and Principia generalia theoriae figurae fluidorum in statu 
aequilibrii which discussed forces of attraction. These papers were based on Gauss's potential 
theory, which proved of great importance in his work on physics. He later came to believe his 
potential theory and his method of least squares provided vital links between science and nature. 


In 1832, Gauss and Weber began investigating the theory of terrestrial magnetism after Alexander 
von Humboldt attempted to obtain Gauss's assistance in making a grid of magnetic observation 
points around the Earth. Gauss was excited by this prospect and by 1840 he had written three 
important papers on the subject: Intensitas vis magneticae terrestris ad mensuram absolutam 
revocata (1832), Allgemeine Theorie des Erdmagnetismus (1839) and Allgemeine Lehrsdtze in 
Beziehung auf die im verkehrten Verhdltnisse des Quadrats der Entfernung  wirkenden 
Anziehungs- und Abstossungskrafte (1840). These papers all dealt with the current theories on 
terrestrial magnetism, including Poisson's ideas, absolute measure for magnetic force and an 
empirical definition of terrestrial magnetism. Dirichlet's principal was mentioned without proof. 


Allgemeine Theorie... showed that there can only be two poles in the globe and went on to prove 
an important theorem, which concerned the determination of the intensity of the horizontal 
component of the magnetic force along with the angle of inclination. Gauss used the Laplace 
equation to aid him with his calculations, and ended up specifying a location for the magnetic 
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South pole. 


Humboldt had devised a calendar for observations of magnetic declination. However, once Gauss's 
new magnetic observatory (completed in 1833 - free of all magnetic metals) had been built, he 
proceeded to alter many of Humboldt's procedures, not pleasing Humboldt greatly. However, 
Gauss's changes obtained more accurate results with less effort. 


Gauss and Weber achieved much in their six years together. They discovered Kirchhoff's laws, as 
well as building a primitive telegraph device which could send messages over a distance of 5000 
ft. However, this was just an enjoyable pastime for Gauss. He was more interested in the task of 
establishing a world-wide net of magnetic observation points. This occupation produced many 
concrete results. The Magnetischer Verein and its journal were founded, and the atlas of 
geomagnetism was published, while Gauss and Weber's own journal in which their results were 
published ran from 1836 to 1841. 


In 1837, Weber was forced to leave G6ttingen when he became involved in a political dispute and, 
from this time, Gauss's activity gradually decreased. He still produced letters in response to fellow 
scientists’ discoveries usually remarking that he had known the methods for years but had never 
felt the need to publish. Sometimes he seemed extremely pleased with advances made by other 
mathematicians, particularly that of Eisenstein and of Lobachevsky. 


Gauss spent the years from 1845 to 1851 updating the Gottingen University widow's fund. This 
work gave him practical experience in financial matters, and he went on to make his fortune 
through shrewd investments in bonds issued by private companies. 


Two of Gauss's last doctoral students were Moritz Cantor and Dedekind. Dedekind wrote a fine 
description of his supervisor 


. usually he sat in a comfortable attitude, looking down, slightly stooped, with hands folded 
above his lap. He spoke quite freely, very clearly, simply and plainly: but when he wanted to 
emphasise a new viewpoint ... then he lifted his head, turned to one of those sitting next to him, 
and gazed at him with his beautiful, penetrating blue eyes during the emphatic speech. ... If he 
proceeded from an explanation of principles to the development of mathematical formulas, then he 
got up, and in a stately very upright posture he wrote on a blackboard beside him in his peculiarly 
beautiful handwriting: he always succeeded through economy and deliberate arrangement in 
making do with a rather small space. For numerical examples, on whose careful completion he 


placed special value, he brought along the requisite data on little slips of paper. 
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Gauss presented his golden jubilee lecture in 1849, fifty years after his diploma had been granted 
by Hemstedt University. It was appropriately a variation on his dissertation of 1799. From the 
mathematical community only Jacobi and Dirichlet were present, but Gauss received many 
messages and honours. 


From 1850 onwards Gauss's work was again of nearly all of a practical nature although he did 
approve Riemann's doctoral thesis and heard his probationary lecture. His last known scientific 
exchange was with Gerling. He discussed a modified Foucalt pendulum in 1854. He was also able 
to attend the opening of the new railway link between Hanover and Gottingen, but this proved to 
be his last outing. His health deteriorated slowly, and Gauss died in his sleep early in the morning 
of 23 February, 1855. 


The source of this information is the following webpage: 


http://www-history.mcs.st-and.ac.uk/history/Mathematicians/Gauss.html 


Karl Gustav Jacob Jacobi 


rr 





Born: 10 Dec 1804 in Potsdam, Prussia (now Germany) 


Died: 18 Feb 1851 in Berlin, Germany 
Karl Jacobi founded the theory of elliptic functions. 


Jacobi's father was a banker and his family were prosperous so he received a good education at the 
University of Berlin. He obtained his Ph.D. in 1825 and taught mathematics at the University of 
Konigsberg from 1826 until his death, being appointed to a chair in 1832. 


He founded the theory of elliptic functions based on four theta functions. His Fundamenta nova 
theoria functionum ellipticarum in 1829 and its later supplements made basic contributions to the 
theory of elliptic functions. 


In 1834 Jacobi proved that if a single-valued function of one variable is doubly periodic then the 
ratio of the periods is imaginary. This result prompted much further work in this area, in particular 
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Jacobi carried out important research in partial differential equations of the first order and applied 
them to the differential equations of dynamics. 


He also worked on determinants and studied the functional determinant now called the Jacobian. 
Jacobi was not the first to study the functional determinant which now bears his name, it appears 
first in a 1815 paper of Cauchy. However Jacobi wrote a long memoir De determinantibus 
functionalibus in 1841 devoted to the this determinant. He proves, among many other things, that 
if a set of n functions in n variables are functionally related then the Jacobian 1s identically zero, 
while if the functions are independent the Jacobian cannot be identically zero. 


Jacobi's reputation as an excellent teacher attracted many students. He introduced the seminar 
method to teach students the latest advances in mathematics. 


The source of this information is the following webpage: 


http://www-history.mcs.st-and.ac.uk/history/Mathematicians/Jacobi.html 


Adrien-Marie Legendre 





Born: 18 Sept 1752 in Paris, France 

Died: 10 Jan 1833 in Paris, France 

Legendre's major work on elliptic integrals provided basic analytical tools for mathematical 
physics. 


Legendre was educated at Collége Mazarin in Paris. From 1775 to 1780 he taught with Laplace at 
Ecole Militaire where his appointment was made on the advice of d'Alembert. Legendre was 
appointed to the Académie des Sciences in 1783 and remained there until it closed in 1793. 


In 1782 Legendre determined the attractive force for certain solids of revolution by introducing an 
infinite series of polynomials P,, which are now called Legendre polynomials. 
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His major work on elliptic functions in Exercises du Calcul Intégral (1811,1817,1819) and elliptic 
integrals in Traité des Fonctions Elliptiques (1825,1826,1830) provided basic analytical tools for 
mathematical physics. 


In his famous textbook Eléments de géométrie (1794) he gave a simple proof that 7 is irrational as 
well as the first proof that 2 is irrational and conjectured that is not the root of any algebraic 
equation of finite degree with rational coefficients 1.e. is not algebraic. 


His attempt to prove the parallel postulate extended over 40 years. 


In 1824 Legendre refused to vote for the government's candidate for Institut National. Because of 
this his pension was stopped and he died in poverty. Abel wrote in October 1826 


Legendre is an extremely amiable man, but unfortunately as old as the stones. 


The source of this information is the following webpage: 


http://www-history.mcs.st-and.ac.uk/history/Mathematicians/Legendre.html 


August Ferdinand Mobius 





Born: 17 Nov 1790 in Schulpforta, Saxony (now Germany) 
Died: 26 Sept 1868 in Leipzig, Germany 


August Mobius is best known for his work in topology, especially for his conception of the 
Mobius strip, a two dimensional surface with only one side. 


August was the only child of Johann Heinrich Mobius, a dancing teacher, who died when August 
was three years old. His mother was a descendant of Martin Luther. Mébius was educated at home 
until he was 13 years old when, already showing an interest in mathematics, he went to the College 
in Schulpforta in 1803. 


In 1809 Mobius graduated from his College and he became a student at the University of Leipzig. 
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His family had wanted him study law and indeed he started to study this topic. However he soon 
discovered that it was not a subject that gave him satisfaction and in the middle of his first year of 
study he decided to follow him own preferences rather than those of his family. He therefore took 
up the study of mathematics, astronomy and physics. 


The teacher who influenced Mobius most during his time at Leipzig was his astronomy teacher 
Karl Mollweide. Although an astronomer, Mollweide is well known for a number of mathematical 
discoveries in particular the Mollweide trigonometric relations he discovered in 1807-09 and the 
Mollweide map projection which preserves angles and so 1s a conformal projection. 


In 1813 Mobius travelled to Géttingen where he studied astronomy under Gauss. Now Gauss was 
the director of the Observatory in Gottingen but of course the greatest mathematician of his day, so 
again Mobius studied under an astronomer whose interests were mathematical. From Gottingen 
Mobius went to Halle where he studied under Johann Pfaff, Gauss's teacher. Under Pfaff he 
studied mathematics rather than astronomy so by this stage Mobius was very firmly working in 
both fields. 


In 1815 M6bius wrote his doctoral thesis on The occultation of fixed stars and began work on his 
Habilitation thesis. In fact while he was writing this thesis there was an attempt to draft him into 
the Prussian army. Mébius wrote 


This is the most horrible idea I have heard of, and anyone who shall venture, dare, hazard, make 
bold and have the audacity to propose it will not be safe from my dagger. 


He avoided the army and completed his Habilitation thesis on Trigonometrical equations. 
Mollweide's interest in mathematics was such that he had moved from astronomy to the chair of 
mathematics at Leipzig so Mobius had high hopes that he might be appointed to a professorship in 
astronomy at Leipzig. Indeed he was appointed to the chair of astronomy and higher mechanics at 
the University of Leipzig in 1816. His initial appointment was as Extraordinary Professor and it 
was an appointment which came early in his career. 


However Mobius did not receive quick promotion to full professor. It would appear that he was 
not a particularly good lecturer and this made his life difficult since he did not attract fee paying 
students to his lectures. He was forced to advertise his lecture courses as being free of charge 
before students thought his courses worth taking. 
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He was offered a post as an astronomer in Greifswald in 1916 and then a post as a mathematician 
at Dorpat in 1819. He refused both, partly through his belief in the high quality of Leipzig 
University, partly through his loyalty to Saxony. In 1825 Mollweide died and Mobius hoped to 
transfer to his chair of mathematics taking the route Mollweide had taken earlier. However it was 
not to be and another mathematician was preferred for the post. 


By 1844 MObius's reputation as a researcher led to an invitation from the University of Jena and at 
this stage the University of Leipzig gave him the Full Professorship in astronomy which he clearly 
deserved. 


From the time of his first appointment at Leipzig Mobius had also held the post of Observer at the 
Observatory at Leipzig. He was involved the rebuilding of the Observatory and, from 1818 until 
1821, he supervised the project. He visited several other observatories in Germany before making 
his recommendations for the new Observatory. In 1820 he married and he was to have one 
daughter and two sons. In 1848 he became director of the Observatory. 


In 1844 Grassmann visited Mobius. He asked Mobius to review his major work Die lineale 
Ausdehnundslehre, ein neuer Zweig der Mathematik (1844) which contained many results similar 
to Mobius's work. However Mobius did not understand the significance of Grassmann's work and 
did not review it. He did however persuade Grassmann to submit work for a prize and, after 
Grassmann won the prize, Mobius did write a review of his winning entry in 1847. 


Although his most famous work is in mathematics, Mébius did publish important work on 
astronomy. He wrote De Computandis Occultationibus Fixarum per Planetas (1815) concerning 
occultations of the planets. He also wrote on the principles of astronomy, Die Hauptsdtze der 
Astronomie (1836) and on celestial mechanics Die Elemente der Mechanik des Himmels (1843). 


Mobius's mathematical publications, although not always original, were effective and clear 
presentations. His contributions to mathematics are described by his biographer Richard Baltzer in 
as follows: 


The inspirations for his research he found mostly in the rich well of his own original mind. His 
intuition, the problems he set himself, and the solutions that he found, all exhibit something 
extraordinarily ingenious, something original in an uncontrived way. He worked without 
hurrying, quietly on his own. His work remained almost locked away until everything had been put 
into its proper place. Without rushing, without pomposity and without arrogance, he waited until 
the fruits of his mind matured. Only after such a wait did he publish his perfected works... 
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Almost all Mobius's work was published in Crelle's Journal, the first journal devoted exclusively 
to publishing mathematics. Mobius's 1827 work Der barycentrische Calkul, on analytical 
geometry, became a classic and includes many of his results on projective and affine geometry. In 
it he introduced homogeneous coordinates and also discussed geometric transformations, in 
particular projective transformations. He introduced a configuration now called a Mobius net, 
which was to play an important role in the development of projective geometry. 


Mobius's name is attached to many important mathematical objects such as the Mobius function 
which he introduced in the 1831 paper Uber eine besondere Art von Umkehrung der Reihen and 
the Mébius inversion formula. 


In 1837 he published Lehrbuch der Statik which gives a geometric treatment of statics. It led to the 
study of systems of lines in space. 


Before the question on the four colouring of maps had been asked by Francis Guthrie, Mobius had 
posed the following, rather easy, problem in 1840. 


There was once a king withfive sons. In his will he stated that on his death his kingdom should be 
divided by his sons into five regions in such a way that each region should have a common 
boundary with the other four. Can the terms of the will be satisfied? 


The answer, of course, is negative and easy to show. However it does illustrate MObius's interest in 
topological ideas, an area in which he most remembered as a pioneer. In a memoir, presented to 
the Académie des Sciences and only discovered after his death, he discussed the properties of one- 
sided surfaces including the Mobius strip which he had discovered in 1858. This discovery was 
made as Mobius worked on a question on the geometric theory of polyhedra posed by the Paris 
Academy. 


Although we know this as a MObius strip today it was not Mobius who first described this object, 
rather by any criterion, either publication date or date of first discovery, precedence goes to 
Listing. 


A Mobius strip is a two-dimensional surface with only one side. It can be constructed in three 
dimensions as follows. Take a rectangular strip of paper and join the two ends of the strip together 
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so that it has a 180 degree twist. It is now possible to start at a point A on the surface and trace out 
a path that passes through the point which is apparently on the other side of the surface from A. 


The source of this information is the following webpage: 


http://www-history.mcs.st-and.ac.uk/history/Mathematicians/Mobius.html 


Joseph Henry Maclagen Wedderburn 





Born: 2 Feb 1882 in Forfar, Angus, Scotland 
Died: 9 Oct 1948 in Princeton, New Jersey, USA 


Joseph Wedderburn made important advances in the theory of rings, algebras and matrix theory. 


He entered Edinburgh University in 1898, obtaining a degree in mathematics in 1903. Wedderburn 
then pursued postgraduate studies in Germany spending 1903-1904 at the University of Leipzig 
and then a semester at the University of Berlin. 


He was awarded a Carnegie Scholarship to study in the USA and he spent 1904-1905 at the 
University of Chicago where he did joint work with Veblen. Returning to Scotland he worked for 
4 years at Edinburgh as assistant to George Chrystal. From 1906 to 1908 he served as editor of the 
Proceedings of the Edinburgh Mathematical Society. 


In 1909 Wedderburn was appointed a Preceptor in Mathematics at Princeton where he joined 
Veblen. However World War I saw Wedderburn volunteer for the British Army and he served, 
partly in France, until the end of the war. 


On his return to Princeton he was soon promoted obtaining permanent tenure in 1921. He served 
as Editor of the Annals of Mathematics from 1912 to 1928. From about the end of this period 
Wedderburn seemed to suffer a mild nervous breakdown and became an increasingly solitary 
figure. By 1945 the Priceton gave him early retirement in his own best interests. 


Wedderburn's best mathematical work was done before his war service. In 1905 he showed that a 
non-commutatiove finite field could not exist. This had as a corollary the complete structure of all 
finite projective geometries, showing that in all these geometries Pascal's theorem is a 
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consequence of Desargues' theorem. 


In 1907 he published what is perhaps his most famous paper on the classification of semisimple 
algebras. He showed that every semisimple algebra is a direct sum of simple algebras and that a 
simple algebra was a matrix algebra over a division ring. 


In total he published around 40 works mostly on rings and matrices. His most famous book is 
Lectures on Matrices (1934). 


The source of this information 1s the following webpage: 


http://www-history.mcs.st-and.ac.uk/history/Mathematicians/Wedderburn.html 


Appendix D New Functions 


o AddTwoLetters 
AddTwoLetters adds two letters modulo 26, where a=0, b=1,..., z= 235. 





AddTwoLetters[a_, b_] := | 
| FromCharacterCode([Mod[ (ToCharacterCode[a] - 97) + 
| (ToCharacterCode[b] - 97), 26] +97] | 


Example: 


AddTwoLetterae["b", "c"] 








cg CaesarCipher 


Applies the Caesar cipher with a given key to a given plaintext of small letters. 


ee 





CaesarCipher[plaintext_, key_] t= 


FromCharacterCode[ 
Mod [ ToCharacterCode[plaintext] - 97 +key, 26] + 97] | 





Example: 


plaintext = "typehereyourplaintextinsmallletters"; 
| key = 24; 
 CaesarCipher|[plaintext, key] 


a SS 





rwncfcpewmspnjyolrevrglgqkyjjjcrrcepg 


a ColumnSwap 


ColumnSwap interchanges columns 7 and j in matrix B. 
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oO CoPrimeQ 


CoPrime test if two integers are coprime, i.e. have gcd 1. 














oO CoPrimes 


CoPrimes generates a list of all integers in between 1 and n that are coprime with n. In other 
words, it generates a reduced residue system modulo n. 


Coprimes makes use of the function CoPrimeQ defined earlier. 
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CoPrimes(n_ Integer? Positive] i= 
Select [Range[n], CoPrimeQ[n, #] & ] 





Example: 





 CoPrimes [15] 


{l, 2, 4,.7, 8, 11, 13, 14} 


O DivisorProduct 


27a 2 == 2 ee eee ee 


DivisorProduct(f_, n_] := Times @@ (f /@ Divisors[n] ) 





Example: 
+ £(n_] ten | 
DivigsorProduct[f, 25] a 
125 


CO DivisorSum 


DivisorSum calculates )ia, f [a]. 


| DivisorSum(f_, n_] := Plus @@ (f /@ Divisora[n]) 


Example: 


ear g 


Psat i 
auipits 


ei ; 
Pee egies 





le a ; lt 
ih . + 
es a im. wil £ a 
ont kes = m ok 
% a aias 
a ee 
fe eae 
rn Ae 
> i. 
= t, 


ate 


eee | F 
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O EllipticAdd 


EllipticAdd evaluates the sum of the points P and Q on an elliptic curve over Z, given by the 





Module[{lam, x3, y3, P3}, 
rfl(P == {0}, R=Q, 

Tf£(Q == {0}, R=P, 
Tf(P([iJ] !=@[[1)]. 


{lam = 

Mod[(O[[2]] -P[[2]])* 

PowerMod[Q[[1]] -F[[1]], p-2. pl]. Pl: 

x3 = 

Mod [lam* -a-P[[{1]]-Q[{[1]]. pl: 
yi 

Mod [- (lam (x3 -P[[1]]) +P[[2]]). pls 
R= (x3, y3}}, 


Tf[((Pe=Q) A (P i= {0)), 
{lam = 
Mod [{(3«P[[1]]*7+2a«P[[1]] +b) « 
| PowerMod[2PF[[2]], p-2, Pp], P]i 
x3 = Mod [ 
lam’ -a-P[[1)]-Q[[1]].- pl: 
¥3= 
| Mod [- (lam (x3-P[[1]]) +P[([2]]).- pli 
: R= {x3, y3}}. 


(P[(2]] == Q{[1]]) A (P[[2]] '=Q[[2]]). R= {9}))]]]]3 





Example: 





p=ii; a=0; b= 6; ¢ = 3; 
EllipticAdd[p, a, b, c, {4, 6}, {9, 4}] 





(3, 9) 
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New Functions 


O Entropy 
Computes the entropy — p.log, p- (1 — p).log,(1 — p)function. 





Example: 


, ball ‘J 
ae weaes eis 


icine ety 3 ee 





O ListQuadRes 


ListQuadRes gives a listing of all the quadratic residues modulo p. 





Example: 











i , - 
Fees BE hs so | 
err. a. 
sd as 4 5 
one ee Pe * 
- 7 ‘ 


O MultiEntropy 
Sass evaluates ~ 2 ; Pi loge Pi fora list {p), Po, ---, Dn}. 





Example: 
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Oo MultiplicativeOrder 


MultiplicativeOrder computes the multiplicative order of an integer a modulo n, assuming that 
they are coprime. So, it outputs the smallest positive integer m such that a” = 1(mod n). 





1285901112 


O KnapsackForSuperIncreasingSequence 


KnapsackForSuperIncreasingSequence finds the {0, 1}-solution of the knapsack problem 


Ly X-a; = S, where {a;}/_, is a superincreasing sequence. 
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{1, 1, 0, 1, 1, O} 


C RowSwap 


RowSwaps interchanges rows i and j in matrix B. 
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Mobius function, 378 
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elliptic curve, 213 

greatest common divisor, 344, 345 
minimal characteristic polynomial, 35 
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h(p) — entropy, 76 

H(X)_ entropy, 76 

H(X | Y) conditional entropy, 81 

I,(n) number of irreducible polynomials of degree n over Fy, 401 
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I(X,Y) mutual information, 82 
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NQR_ quadratic non-residue , 364 
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Q™ cyclotomic polynomial, 420 

QR ~~ quadratic residue , 364 

Tr trace function, 424 

V(n,q) n-dimensional vectorspace over GF(qg), 309 

w(x) weight of a vector, 242 

Zy integers modulo p, 395 


Index 


A 


Abelian group, 385 
access structure, 322 
complete, 322 
perfect, 322 
A-code (for message authentication), 292 
Johansson's construction of A-code from EC-code, 309 
from orthogonal array, 305 
active cryptanalist, 3 
addition of points on an elliptic curve, 225 
addition chain, 113 
additive group, 385 
address, 98 
alphabet, 2 
algorithm 
addition of points on an elliptic curve , 225 
Baby-step Giant-step (for taking discrete logarithms), 130 
Berlekamp-Massey, 56 
bit swapping, 255 
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Pollard-o, 161 
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Miller-Rabin primality test, 188 

Pohlig-Hellman, 121 
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message authentication code, 289 
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standard, 393 
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block cipher based identity verification protocol, 67 
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cipher block chaining, 64 
cipher feedback mode, 65 
ciphertext, 3 
ciphertext only attack, 3 
code 
A- (for message authentication), 292 
authentication, 291 
Goppa, 237 
hash, 288 
instantaneous, 88 
message authentication, 289 
prefix, 88 
source, 87 
uniquely decodable, 87 
U.D., 87 
codebook mode, 63 
codeword, 237 
Cohen and Lenstra (deterministic primality test; version 1), 193 
collision resistant 
strong, 288 
weak, 288 
column transposition (cipher), 21 
commutative (operation), 383 
complete 


Index 


access structure, 322 
residue system, 353 
computationally secure, 287 
conditional 
entropy, 81 
probability, 80 
confidentiality, | 
congruence relation 
linear, 358 
quadratic, 364 
congruent, 352 
conjugate, 412 
consistency condition (of Kolmogorov), 4 
continued fraction, 369 
conventional cryptosystem, 3 
convergent, 373 
Coppersmith's attack on RSA with related messages, 171 
coprime, 346 
cryptanalist, 3 
active, 3 
passive, 3 
cryptanalysis, | 
differential (for block ciphers), 72 
incidence of coincidences, 16 
Kasiski's method, 19 
linear (for block ciphers), 72 
the method of the probable world, 11 
cryptographic transformation, 2 
cryptography, | 
cryptology, | 
cryptosystem 
Caesar, 9 
Chor-Rivest, 279 
column transposition, 21 
conventional, 3 
Data Encryption Standard, 67 
DES, 67 
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ElGamal public key cryptosystems, 116 
secrecy scheme, 116 


475 


476 


signature scheme, 118 
Enigma, 24 
Hagelin, 22 
IDEA, 70 
knapsack, 268 
LFSR, 32 
linear feedback shift register, 32 
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one-way, 107 
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Goppa code, 237 
Gram-Schmidt algorithm (for orthogonalization process), 272 
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Huffman algorithm (for data compression), 93 
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ideal secret sharing scheme, 329 
identity verification protocol 
based on a block cipher, 67 
Fiat-Shamir, 316 
Schnorr, 319 
impersonation attack, 292 
incidence matrix, 298 
incidence of coincidences, 16 
inclusion and exclusion, principle of, 381 
independent (linearly), 392 
index (of an orthogonal array), 305 
index-calculus method (for taking discrete logarithms), 135 
inequality 
Kraft, 89 
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information, 75 
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exchange system, 114 
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cryptosystem, 268 
problem, 263 
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authentication, 291 
incidence, 298 
generator, 237 
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message authentication code, 289 
microwave attack (physical attack of RSA), 180 
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cipher block chaining, 64 
cipher feedback mode, 65 
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inverse, 386 
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public key cryptosystem, 107 
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commutative,383 
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perfect 
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authentication code, 294 
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source, 4 
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Playfair cipher, 20 
PN sequence, 34 
Pohlig-Hellman algorithm, 121 
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Pollard-o method for factoring integers, 161 
Pollard-p method for taking discrete logarithms, 131 
polyalphabetic substitution, 15 
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primality test 
Cohen and Lenstra (deterministic; version 1), 193 
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element, 405 
n-th root of unity, 405 
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protocol, 315 
Diffie-Hellman key exchange, 115 
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public key cryptosystem, 105 
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Fiat-Shamir protocol, 316 

block cipher based identity verification protocol, 67 
ring, (in general), 386 

principal ideal, 398 

residue class, 388 

sub-, 386 
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signature, 153 
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